azp OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
As AZP is Optional, if it's not declared it should not raise an error.
https://github.com/spring-projects/spring-security/blob/da9d7414bd88dac94785cea6dab742e18bd7cd57/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java#L95
Comment From: anoopgarlapati
This is as per the specification. As stated in the same specification in section 3.1.3.7 - ID Token Validation:
Clients MUST validate the ID Token in the Token Response in the following manner: 4. If the ID Token contains multiple audiences, the Client SHOULD verify that an
azpClaim is present.
Comment From: jgrandja
@loutente
As @anoopgarlapati mentioned, this validation is implemented as per spec.
Comment From: loutente
So if the server do not provide the azp information as it is OPTIONAL, The client will always face with an error but the token is valid. In fact, my understanding on the spec is, if there's an azp, The client Should check that the azp is the client id. But if there's no azp the token is valid even if there's multiple audience as it's an optional value. @anoopgarlapati, @jgrandja does it make sense ?
Comment From: loutente
@jgrandja Do I have to reopen a new issue ?