jwt - OpenID 连接标准 : Authorized Party azp Contradiction

Question

在 OpenID Connect spec azp(授权方)的说法似乎有矛盾。

在 ID token 定义部分 2它说:

azp

OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience...

但是在 token 验证部分 3.1.3.7 ，其中一个步骤似乎说的是相反的内容:

4. If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.

有人能解释一下这种明显的差异吗？只有第二个实例使用声明性语言，因此我倾向于在实现中支持这种语言。

Answer 1

你是对的，整个azp OIDC 的情况令人困惑。不管它的值(value)如何，他们都有一个与之相关的悬而未决的问题；请参阅OIDC - Issue 973 (azp claim underspecified and overreaching) .

From the definition of "aud" in JWT and its use in Connect's ID Token (relevant spec text is copied below), it seems that that the client id of the client/RP that made the authentication request has to be one of the values, or the only value, of the "aud" claim in the ID Token. That's logical and consistent and provides reliable and interoperable guidance to implementers about producing and consuming the ID Token. I think that the client id of the RP/client that made the authentication request should always be represented in the aud of the returned ID Token.

The text around "azp" in the ID Token section and the ID Token Validation section seems to maybe suggest something different, however. Like perhaps that the client id of the RP/client that made the authentication request could, in some totally unspecified circumstance, be the value of the azp claim and that the aud would not identify that client as an intended recipient. Am I misinterpreting things?

就我个人而言，从客户端应用程序开发人员的角度来看，最好的做法似乎是遵守 ID token 验证规则，该规则始终意味着 azp 内的值也将显示为 aud 。然而，根据在线可用的内容，谷歌似乎对它的使用有点不同，所以你可以在 azp 中获得一个值。未在aud内列出，因此在某些情况下您可能会遵守 Google 规则，而不仅仅是 OIDC。

如果你正在实现一个OP，一个可能不错的选择就是完全远离包含 azp如果可能的话，在您发行的代币中包含它，或者仅在使用多个受众时才包含它，其中之一也是 azp 中的值.