Even though I'm somewhat familiar with how "azp" got in the spec, from kind of knowing about Google's use case of "cid", and sort of know what it's supposed to do, I find the current text in the spec to be pretty confusing.
For example, there's text now for azp that says it "identifies an OAuth 2.0 Client authorized to use this ID Token as an OAuth Access Token." But I don't know what that actually means. There's no way to identify who the client is using an OAuth bearer token. So what does it mean to be authorized? How does one check or enforce that?
That's just one example. Other text that talks about id token validation and I still read it and don't see how it's different than a token w/ more than one audience. Just different with more rules. I know it's been said that this could be used for a HoK type token but we don't have that yet.
I believe that more clarification about what azp really is and what the OP and client are supposed to do with it would be good. As well as other systems and actors.
Folks (George/Nat) on the call (March 28) suggested that it's more aptly described as an "issued to" or "registered to" respectively.
And I still think different people have somewhat different ideas about what this thing is.
Common understanding and clarification would be good.
This issue is admittedly somewhat ticky-tacky but I was asked on the March 28 call to go ahead and file something on it for posterity. So that's what I'm doing.