private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) { if (idToken.getAccessTokenHash() == null) { Properties props = JwsUtils.loadSignatureOutProperties(false); SignatureAlgorithm sigAlgo = null; if (super.isSignWithClientSecret()) { sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props); } else { sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256); } if (sigAlgo != SignatureAlgorithm.NONE) { String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo); idToken.setAccessTokenHash(atHash); } } Message m = JAXRSUtils.getCurrentMessage(); if (m != null && m.getExchange().containsKey(OAuthConstants.NONCE)) { idToken.setNonce((String) m.getExchange().get(OAuthConstants.NONCE)); } else if (st.getNonce() != null) { idToken.setNonce(st.getNonce()); } }