[Openid-specs-ab] Issue #1009: Contradictory statements about ID Token azp Claim (openid/connect)

Denis Nedelyaev issues-reply at bitbucket.org
Wed Feb 15 18:21:16 UTC 2017

New issue 1009: Contradictory statements about ID Token azp Claim

Denis Nedelyaev:

In http://openid.net/specs/openid-connect-core-1_0.html#IDToken:

> `azp`
> OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. **This Claim is only needed when the ID Token has a single audience value** and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience.

In http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation:

> 4) **If the ID Token contains multiple audiences, the Client SHOULD verify that an `azp` Claim is present.**

If I read it correctly, the first fragment states that `azp` is optional and might be needed only when there is only one audience, while the second fragment states that `azp` must be present when there are multiple audiences. Isn't it a contradiction?

More information about the Openid-specs-ab mailing list