Validate token, state and code after a redirect

This example shows how to verify the redirect parameters are not being tampered with, to mitigate the Authorization response parameter injection attack.
The hashes in the claims at_hash, c_hash and s_hash are compared with hashes of resp. the id_token, code and state.
More info on this topic: https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-response-parameter-injection-attack.

Add token to the box below:

ID-token:
Code:
State:

Response:

Click button to launch function.

JS code:

Click button to show code.

JSON Web Token Validation