Question:
The "Generate ID Token" assertion can create/add "c_hash" and "at_hash" values in the ID token. Is this a way to configure this algorithm? If not, what does this default to?
Answer:
As of OTK 4.2 / Gateway 9.3 this is algorithm is not configurable.
The code hash and access token hash values will always use the hash algorithm SHA256 even if something different is specified in the JWT header "alg" value. An enhancement request exists on the API Management communities:
https://communities.ca.com/community/ca-api-management-community