[Openid-specs-ab] Issue #862: Messages 2.2 (openid/connect)
issues-reply at bitbucket.org
Mon Jul 22 23:00:07 UTC 2013
New issue 862: Messages 2.2
azp OPTIONAL or REQUIRED. Authorized Party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 client_id of the party that will be using it. This Claim is only REQUIRED when the party requesting the ID Token is not the same as the sole audience of the ID Token. It MAY be included even when the Authorized Party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
In the second sentence "the party that will be using it." was pointed out as confusing to a reader as azp is defined in the first sentence as the party to which the token was issued. Probably should be changed to "OAuth 2.0 client_id of the party that requested the token.
The term sole audience was also noted as confusing. It is correct english but perhaps not spec language.
Perhaps something like
This Claim is only REQUIRED when aud is multi value or if aud is a single value that is not the value of azp.
More information about the Openid-specs-ab