private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) {
   if (idToken.getAccessTokenHash() == null) {
     Properties props = JwsUtils.loadSignatureOutProperties(false);
     SignatureAlgorithm sigAlgo = null;
     if (super.isSignWithClientSecret()) {
       sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
     } else {
       sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
     }
     if (sigAlgo != SignatureAlgorithm.NONE) {
       String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo);
       idToken.setAccessTokenHash(atHash);
     }
   }
   Message m = JAXRSUtils.getCurrentMessage();
   if (m != null && m.getExchange().containsKey(OAuthConstants.NONCE)) {
     idToken.setNonce((String) m.getExchange().get(OAuthConstants.NONCE));
   } else if (st.getNonce() != null) {
     idToken.setNonce(st.getNonce());
   }
 }
 private String getProcessedIdToken(ServerAccessToken st) {
   if (userInfoProvider != null) {
     IdToken idToken =
         userInfoProvider.getIdToken(
             st.getClient().getClientId(), st.getSubject(), st.getScopes());
     setAtHashAndNonce(idToken, st);
     return super.processJwt(new JwtToken(idToken), st.getClient());
   } else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {
     return st.getSubject().getProperties().get(OidcUtils.ID_TOKEN);
   } else if (st.getSubject() instanceof OidcUserSubject) {
     OidcUserSubject sub = (OidcUserSubject) st.getSubject();
     IdToken idToken = new IdToken(sub.getIdToken());
     idToken.setAudience(st.getClient().getClientId());
     idToken.setAuthorizedParty(st.getClient().getClientId());
     // if this token was refreshed then the cloned IDToken might need to have its
     // issuedAt and expiry time properties adjusted if it proves to be necessary
     setAtHashAndNonce(idToken, st);
     return super.processJwt(new JwtToken(idToken), st.getClient());
   } else {
     return null;
   }
 }