Closed deepaksrgm2010 closed 3 years ago
Thanks for your quick and clear response @panva!
I am not sure, if all other certified libraries exhibit the same behaviour. It looks like the following certified libraries do not enforce an azp to be present on multiple audiences. Examples:
For me, the standard seems to be not very precise on the need here. I found an interesting discussion on oidc issue regarding this
If and when there's finally an errata published about this i will revisit the topic. Until then the client will honour the SHOULD.
Currently , JWT validation does not seem to account for azp field not being defined when there are multiple audiences defined.
according to the specs
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
3.1.3.7. rule 4 states
"If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present"
This is a SHOULD ,hence recommended, but not a MUST, hence not mandatoryI am reading this as that azp is not mandatory if multiple audiences are present and an OP is complaint when azp is not provided for multiple audiences.
Hence is it possible to accommodate this when validating id token ?