azp
Registry Context
The azp claim identifies the authorized party, meaning the OAuth 2.0 client to which the ID Token was issued.
Technical Summary
In an OpenID Connect ID Token, azp is an OPTIONAL claim. When present, its value is the OAuth 2.0 Client ID of the authorized party and is a case-sensitive StringOrURI value.
When Used
Used in ID Tokens, especially when OpenID Connect extensions beyond Core define or require authorized-party semantics.
Normative Requirements
Clients
openid-connect-core-1_0 - Section 3.1.3.7
verify that its client_id is the azp claim value.
Condition: when azp validation includes this check and an azp claim is present
This validation MAY include that when an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
azp claim
openid-connect-core-1_0 - Section 2
contain the OAuth 2.0 Client ID of the authorized party.
Condition: if the azp claim is present in an ID Token
If present, it MUST contain the OAuth 2.0 Client ID of this party.
azp validation
openid-connect-core-1_0 - Section 3.1.3.7
include verifying that the client's client_id is the azp claim value.
Condition: when an azp claim is present
This validation MAY include that when an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
implementation
openid-connect-core-1_0 - Section 3.1.3.7
validate the azp value as specified by the applicable extensions.
Condition: if the implementation uses extensions beyond OpenID Connect Core that result in the azp claim being present
If the implementation is using extensions (which are beyond the scope of this specification) that result in the azp (authorized party) Claim being present, it SHOULD validate the azp value as specified by those extensions.
Validation Guidance
If an ID Token contains azp, validate that it is the OAuth 2.0 Client ID of the authorized party and is treated as a case-sensitive StringOrURI value.
When extensions define azp behavior, validate azp according to those extension rules.
Consider checking that the RP client's client_id matches azp when azp is present and extension semantics allow or require this validation.
Reference
Details
- Entry Id
azp- Claim Name
azp- Claim Description
Authorized party - the party to which the ID Token was issued- Change Controller
OpenID_Foundation_ Artifact_ Binding_ Working_ Group - Reference
OpenID Connect Core 1.0 - Section 2