[Openid-specs-ab] Issue #1009: Contradictory statements about ID Token azp Claim (openid/connect)
issues-reply at bitbucket.org
Wed Feb 15 18:21:16 UTC 2017
New issue 1009: Contradictory statements about ID Token azp Claim
> OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. **This Claim is only needed when the ID Token has a single audience value** and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience.
> 4) **If the ID Token contains multiple audiences, the Client SHOULD verify that an `azp` Claim is present.**
If I read it correctly, the first fragment states that `azp` is optional and might be needed only when there is only one audience, while the second fragment states that `azp` must be present when there are multiple audiences. Isn't it a contradiction?
More information about the Openid-specs-ab