Need option for verify AZP when AUD is an array

[foopis23]

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch [email protected] for the project I'm working on.

My issue was that my IDP was not send the azp field even though audience was an array. I started looking into, and the specification says it should be sent and verified if its an array, but not that is must. At least from what I read. I ask my IDP if they could change this and they said it would be a bit of an ordeal to change, so I decided to patch it here. It would be nice if there was just an option to not verify azp if not present in the token.

Here is the diff that solved my problem:

diff --git a/node_modules/openid-client/lib/client.js b/node_modules/openid-client/lib/client.js
index 6ec4b51..d962e67 100644
--- a/node_modules/openid-client/lib/client.js
+++ b/node_modules/openid-client/lib/client.js
@@ -965,12 +965,13 @@ class BaseClient {
 
     if (payload.aud !== undefined) {
       if (Array.isArray(payload.aud)) {
-        if (payload.aud.length > 1 && !payload.azp) {
-          throw new RPError({
-            message: 'missing required JWT property azp',
-            jwt,
-          });
-        }
+        //! Spec says that azp "SHOULD" be present if aud is an array, but not that it MUST be present. Im my case, my IDP is not sending azp.
+        // if (payload.aud.length > 1 && !payload.azp) {
+        //   throw new RPError({
+        //     message: 'missing required JWT property azp',
+        //     jwt,
+        //   });
+        // }
 
         if (!payload.aud.includes(this.client_id)) {
           throw new RPError({

This issue body was partially generated by patch-package.

[uanid]

Hello @panva

I'm writing to discuss a notable change in the Final OpenID Connect Specification, published on December 15, 2023. Specifically, I'd like to address the updated guidance in section 3.1.3.7 regarding the 'azp' field in ID Token Validation.

As per the new specification, when the 'aud' (audience) claim is an array, the 'azp' (authorized party) claim is no longer required.

Below is the 3.1.3.7 section

3.1.3.7.  ID Token Validation 
4. The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

[panva]

Thank you @uanid

I will remove the azp behaviours completely with the next major version given the conformance tests get updated as well, for now they continue checking this behaviour.

[panva]

Coming back to this, removing the "azp" specifics wouldn't solve your issue because of this part of the quoted clause

The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

Meaning that if you already get an array with more than one member from your IdP there's no way it would pass a new validation logic without introducing new options similar to additionalAuthorizedParties such as additionalAudiences.