dxbjavid commented on PR #3166: URL: https://github.com/apache/cxf/pull/3166#issuecomment-4600173291
You're right, that's on me. The wording I had in mind, "If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present," is step 4 in the original Core 1.0 and in errata1, but errata set 2 (the version you linked) dropped it and replaced it with the weaker "validate the azp value as specified by those extensions" text. So the current spec doesn't require it the way I framed here. I'll close this one. Thanks for checking. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
