<div dir="ltr"><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)">In the<span> </span></span><i style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">normal</i><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)"><span> </span>Connect flow Google issues ID tokens with the RP's client id as the value for both aud and azp. Right* or wrong**, it is what they are doing now. So the 'reject it unless you know what you're doing with it' is probably going too far. Ignoring is probably more appropriate guidance at this point and I suspect is what most clients are doing anyway.<br><br></span></div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)"></span><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)"><br>* </span><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:20px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)">current spec does say "[azp] MAY be included even when the authorized party is the same as the sole audience"<br><br>** there seems to be growing consensus that azp shouldn't have been in Connect at all and I don't see any point in issuing an id token with azp = aud <br><br><br></span><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 1, 2015 at 1:37 AM, Vladimir Dzhuvinov <span dir="ltr"><<a href="mailto:vladimir@connect2id.com" target="_blank">vladimir@connect2id.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 1.09.2015 03:02, Mike Jones wrote:<br>
> Spec call notes 31-Aug-15<br>
<span>><br>
><br>
>                 #973 - Core 2 / 3.1.3.7 - azp claim underspecified and overreaching<br>
>                                 We got data on what Google is actually doing with "azp"<br>
>                                 Notably, it is not used in an OpenID Connect protocol flow<br>
>                                 Brian's comment "Rather Connect should strive for something that's consistent and easily comprehensible" seems dead on<br>
>                                 Mike will take a stab at slightly revised wording following Brian's suggestions<br>
>                                 John suggests that RPs reject tokens with "azp" unless they understand what is going on<br>
<br>
</span>I'm also for mandating rejection of ID tokens with "azp" unless the RP<br>
knows how to deal with this claim. The "azp" seems to be a rather<br>
special case, and if I understand its usage correctly, if cannot simply<br>
be ignored if it's present.<br>
<span></span><br></blockquote></div></div></div></div>