Need option for verify AZP when AUD is an array

[foopis23]

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch openid-client@5.4.0 for the project I'm working on.

My issue was that my IDP was not send the azp field even though audience was an array. I started looking into, and the specification says it should be sent and verified if its an array, but not that is must. At least from what I read. I ask my IDP if they could change this and they said it would be a bit of an ordeal to change, so I decided to patch it here. It would be nice if there was just an option to not verify azp if not present in the token.

Here is the diff that solved my problem:

diff --git a/node_modules/openid-client/lib/client.js b/node_modules/openid-client/lib/client.js
index 6ec4b51..d962e67 100644
--- a/node_modules/openid-client/lib/client.js
+++ b/node_modules/openid-client/lib/client.js
@@ -965,12 +965,13 @@ class BaseClient {

     if (payload.aud !== undefined) {
       if (Array.isArray(payload.aud)) {
-        if (payload.aud.length > 1 && !payload.azp) {
-          throw new RPError({
-            message: 'missing required JWT property azp',
-            jwt,
-          });
-        }
+        //! Spec says that azp "SHOULD" be present if aud is an array, but not that it MUST be present. Im my case, my IDP is not sending azp.
+        // if (payload.aud.length > 1 && !payload.azp) {
+        //   throw new RPError({
+        //     message: 'missing required JWT property azp',
+        //     jwt,
+        //   });
+        // }

         if (!payload.aud.includes(this.client_id)) {
           throw new RPError({

This issue body was partially generated by patch-package.