Use of authorized party
Pieter Ennes
pieterennes at gmail.com
Mon Apr 13 10:14:51 UTC 2015
Hello,
I'm trying to grasp the use of the azp claim in OIDC, the specification
seems to give minimal context in general, but also contradicts itself if
I read correctly.
For the audience claim the following is stated:
"It MUST contain the OAuth 2.0 client_id of the Relying Party as an
audience value."
Hence, client_id MUST be one of the audiences. And in relation to the
authorized party, the following is mentioned:
"If present, it MUST contain the OAuth 2.0 Client ID of this party."
Thus, it can only contain the client_id if present.
However, the same paragraph then goes on:
"This Claim is only needed when the ID Token has a single audience
value and that audience is different than the authorized party."
This contradicts the first two quotes, since if there is only a single
audience, then both aud and azp MUST be exactly the client_id and they
can't possibly be different.
What I'm trying to understand: Is the intention of azp to select an
authorized party from a list of *multiple* audiences? This seems to be
hinted to in section 3.1.3.7 ID Token Validation:
"4. If the ID Token contains multiple audiences, the Client SHOULD
verify that an azp Claim is present."
- Pieter
More information about the specs
mailing list