From b2a658d0914f15f9aaece32d1fc916aed81f7d12 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 7 Oct 2022 17:07:33 +0300
Subject: [PATCH] providers/oauth2: remove c_hash and nonce claim if they're
 not set

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/oauth2/models.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/authentik/providers/oauth2/models.py b/authentik/providers/oauth2/models.py
index b0a1c6268..c4f685534 100644
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@@ -391,7 +391,6 @@ class IDToken:
     acr: Optional[str] = ACR_AUTHENTIK_DEFAULT
 
     c_hash: Optional[str] = None
-
     nonce: Optional[str] = None
     at_hash: Optional[str] = None
 
@@ -400,9 +399,14 @@ class IDToken:
     def to_dict(self) -> dict[str, Any]:
         """Convert dataclass to dict, and update with keys from `claims`"""
         id_dict = asdict(self)
-        # at_hash should be omitted when not set instead of retuning a null claim
+        # The following claims should be omitted if they aren't set instead of being
+        # set to null
         if not self.at_hash:
             id_dict.pop("at_hash")
+        if not self.nonce:
+            id_dict.pop("nonce")
+        if not self.c_hash:
+            id_dict.pop("c_hash")
         id_dict.pop("claims")
         id_dict.update(self.claims)
         return id_dict