Contradictory statements about ID Token azp Claim
In http://openid.net/specs/openid-connect-core-1_0.html#IDToken:
azp
OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience.
In http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation:
4) If the ID Token contains multiple audiences, the Client SHOULD verify that an
azp
Claim is present.
If I read it correctly, the first fragment states that azp
is optional and might be needed only when there is only one audience, while the second fragment states that azp
must be present when there are multiple audiences. Isn't it a contradiction?
Comments (5)
-
-
-
assigned issue to
- changed milestone to Errata
-
assigned issue to
-
- changed status to open
-
-
- changed status to resolved
- Log in to comment
Much of this ground has already been covered in issue
#973- https://bitbucket.org/openid/connect/issues/973/core-2-3137-azp-claim-underspecified-and.I propose that this be addressed as part of addressing
#973.