Contradictory statements about ID Token azp Claim
Issue #1009
resolved
In http://openid.net/specs/openid-connect-core-1_0.html#IDToken:
azpOPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience.
In http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation:
4) If the ID Token contains multiple audiences, the Client SHOULD verify that an
azpClaim is present.
If I read it correctly, the first fragment states that azp is optional and might be needed only when there is only one audience, while the second fragment states that azp must be present when there are multiple audiences. Isn't it a contradiction?
Comments (5)
-
-
-
assigned issue to
Michael Jones
- changed milestone to Errata
-
assigned issue to
-
- changed status to open
-
-
- changed status to resolved
- Log in to comment
Much of this ground has already been covered in issue
#973- https://bitbucket.org/openid/connect/issues/973/core-2-3137-azp-claim-underspecified-and.I propose that this be addressed as part of addressing
#973.