How do I validate an access token using the at_hash claim of an id token?

Question

Say I have the following response from Google\'s OAuth2 /token endpoint after exchanging the code obtained from the /auth endpoint (using this example

Answer 1

Basic Java solution:

private static final String acccesToken = "rvArgQKPbBDJkeTHwoIAOQVkV8J0_i8PhrRKyLDaKkk.iY6nzJoIb2dRXBoqHAa3Yb6gkHveTXbnM6PGtmoKXvo";

public static void main(String[] args) throws NoSuchAlgorithmException {
    MessageDigest md = MessageDigest.getInstance("SHA-256");
    byte[] asciiValue = acccesToken.getBytes(StandardCharsets.US_ASCII);
    byte[] encodedHash = md.digest(asciiValue);
    byte[] halfOfEncodedHash = Arrays.copyOf(encodedHash, (encodedHash.length / 2));
    System.out.println("at_hash generated from access-token: " + Base64.getUrlEncoder().withoutPadding().encodeToString(halfOfEncodedHash));
}