fix(oidc): fail close at validating c_hash and at_hash

lepture · lepture · commit b9bb2b25bf8b · 2026-03-01T00:30:33.000+09:00
diff --git a/authlib/oidc/core/claims.py b/authlib/oidc/core/claims.py
@@ -303,6 +303,6 @@ def get_claim_cls_by_response_type(response_type):
 
 def _verify_hash(signature, s, alg):
     hash_value = create_half_hash(s, alg)
-    if not hash_value:
-        return True
+    if hash_value is None:
+        return False
     return hmac.compare_digest(hash_value, to_bytes(signature))
diff --git a/tests/core/test_oidc/test_core.py b/tests/core/test_oidc/test_core.py
@@ -99,9 +99,10 @@ def test_validate_at_hash():
     )
     claims.params = {"access_token": "a"}
 
-    # invalid alg won't raise
+    # invalid alg will raise too
     claims.header = {"alg": "HS222"}
-    claims.validate(1000)
+    with pytest.raises(InvalidClaimError):
+        claims.validate(1000)
 
     claims.header = {"alg": "HS256"}
     with pytest.raises(InvalidClaimError):
@@ -143,10 +144,11 @@ def test_hybrid_id_token():
     with pytest.raises(MissingClaimError):
         claims.validate(1000)
 
-    # invalid alg won't raise
+    # invalid alg will raise too
     claims.header = {"alg": "HS222"}
     claims["c_hash"] = "a"
-    claims.validate(1000)
+    with pytest.raises(InvalidClaimError):
+        claims.validate(1000)
 
     claims.header = {"alg": "HS256"}
     with pytest.raises(InvalidClaimError):
