JWT validation for id token throws if the authorized presenter (azp field) is not defined if there are multiple audiences

[deepaksrgm2010]

Currently , JWT validation does not seem to account for azp field not being defined when there are multiple audiences defined.

according to the specs

• http://openid.net/specs/openid-connect-core-1_0.html#IDToken

  azp
  OPTIONAL. Authorized party - the party to which the ID Token was issued.
  If present, it MUST contain the OAuth 2.0 Client ID of this party. **_This Claim
  is only needed when the ID Token has a single audience value and that audience
  is different than the authorized party.** It MAY be included even when the authorized
  party is the same as the sole audience. The azp value is a case sensitive string
  containing a StringOrURI value.

• 3.1.3.7. rule 4 states

"If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present" This is a SHOULD ,hence recommended, but not a MUST, hence not mandatory

I am reading this as that azp is not mandatory if multiple audiences are present and an OP is complaint when azp is not provided for multiple audiences.

Hence is it possible to accommodate this when validating id token ?

[panva]

1. As a certified software this client MUST exhibit this behaviour.
2. SHOULD doesn’t mean that an implementation is free to ignore a requirement because it doesn’t feel like honouring it.

[deepaksrgm2010]

Thanks for your quick and clear response @panva!

I am not sure, if all other certified libraries exhibit the same behaviour. It looks like the following certified libraries do not enforce an azp to be present on multiple audiences. Examples:

• Apache mod_auth_openidc 2.3.1: File

• oidc-client-js 1.3 File

For me, the standard seems to be not very precise on the need here. I found an interesting discussion on oidc issue regarding this

[panva]

If and when there's finally an errata published about this i will revisit the topic. Until then the client will honour the SHOULD.