Fixing disableAtHashCheck, not being recognized correctly

[dorianweidler]

In the current version of the project, even when disableAtHashCheck is true, the hash check will be performed anyway. This results in an error as params.idTokenClaims['at_hash'] is undefined.

This was caused by calling this.checkAtHash(validationParams), even when disableAtHashCheck was set true.

This PR solves #466 mentioned by @joel-kr.

[Toxicable]

@manfredsteyer Hey, would you be able to give this a quick look over? We're interested in using it

[philippederyck]

I ran into a similar issue while running a demo with PKCE against auth0. When both tokens are passed in response to exchanging the authorization code, there is no at_hash value (it is marked optional in the spec), and the flow fails due to it.

[jasmdk]

We have the same issue. According to https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken the at_hash is optional except when the response_type is "code id_token token" and when we use the "code" response_type against Keycloak it does not return an at_hash because it is optional.
@manfredsteyer any chance it can be merged into next release?

[BrandonClapp]

I'm encountering the same issue with Auth0 using "code" response_type.

It appears that OAuthService.processIdToken still checks for the at_hash even when disableAtHashCheck is set to true.

Looking at this PR, it looks like the code should fix this issue, however the code is only present in docs/injectables/OAuthService.html. It seems like this fix should be in projects/lib/src/oauth-service.ts

[dorianweidler]

The PR also adds the fix in the libraries sourcecode:
28316ed#diff-fbc8c2d288ee2f0a2a9d42a46e5292bd

Probably you missed that.

[BrandonClapp]

Whoops, I did miss it! Disregard my PR.

I'm currently running an altered version of this library (with this PRs changes) to bypass the at_hash check in order to get this working with Auth0. Hope this gets merged before next release!