oauth2.dev

azp

OpenID_Foundation_Artifact_Binding_Working_Group

Registry Context

The azp claim identifies the authorized party, meaning the OAuth 2.0 client to which the ID Token was issued.

Technical Summary

In an OpenID Connect ID Token, azp is an OPTIONAL claim. When present, its value is the OAuth 2.0 Client ID of the authorized party and is a case-sensitive StringOrURI value.

When Used

Used in ID Tokens, especially when OpenID Connect extensions beyond Core define or require authorized-party semantics.

Normative Requirements

Clients

SHOULD
1
  1. openid-connect-core-1_0 - Section 3.1.3.7

    verify that its client_id is the azp claim value.

    Condition: when azp validation includes this check and an azp claim is present

    This validation MAY include that when an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.

azp claim

MUST
1
  1. openid-connect-core-1_0 - Section 2

    contain the OAuth 2.0 Client ID of the authorized party.

    Condition: if the azp claim is present in an ID Token

    If present, it MUST contain the OAuth 2.0 Client ID of this party.

azp validation

MAY
1
  1. openid-connect-core-1_0 - Section 3.1.3.7

    include verifying that the client's client_id is the azp claim value.

    Condition: when an azp claim is present

    This validation MAY include that when an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.

implementation

SHOULD
1
  1. openid-connect-core-1_0 - Section 3.1.3.7

    validate the azp value as specified by the applicable extensions.

    Condition: if the implementation uses extensions beyond OpenID Connect Core that result in the azp claim being present

    If the implementation is using extensions (which are beyond the scope of this specification) that result in the azp (authorized party) Claim being present, it SHOULD validate the azp value as specified by those extensions.

Validation Guidance

error

If an ID Token contains azp, validate that it is the OAuth 2.0 Client ID of the authorized party and is treated as a case-sensitive StringOrURI value.

warning

When extensions define azp behavior, validate azp according to those extension rules.

info

Consider checking that the RP client's client_id matches azp when azp is present and extension semantics allow or require this validation.

Reference

Details

Entry Id
azp
Claim Name
azp
Claim Description
Authorized party - the party to which the ID Token was issued
Change Controller
OpenID_Foundation_Artifact_Binding_Working_Group
Reference
OpenID Connect Core 1.0 - Section 2