Hello, I'm trying to grasp the use of the azp claim in OIDC, the specification seems to give minimal context in general, but also contradicts itself if I read correctly.
For the audience claim the following is stated: "It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value." Hence, client_id MUST be one of the audiences. And in relation to the authorized party, the following is mentioned: "If present, it MUST contain the OAuth 2.0 Client ID of this party." Thus, it can only contain the client_id if present. However, the same paragraph then goes on: "This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party." This contradicts the first two quotes, since if there is only a single audience, then both aud and azp MUST be exactly the client_id and they can't possibly be different. What I'm trying to understand: Is the intention of azp to select an authorized party from a list of *multiple* audiences? This seems to be hinted to in section 3.1.3.7 ID Token Validation: "4. If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present." - Pieter _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
