Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenID Connect Standard: Authorized Party azp Contradiction

In the OpenID Connect spec the azp (authorized party) claim seems to have a contradiction.

In the ID token definition section 2 it says:

azp

OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience...

But in token validation section 3.1.3.7, one of the steps seems to say the opposite:

  1. If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.

Could anyone shed some light on this apparent discrepancy? Only the second instance uses declaratory language, so I'm leaning towards favoring that in my implementation.

like image 370
joshperry Avatar asked Dec 19 '16 21:12

joshperry


People also ask

What is authorization code in OpenID Connect?

The Code Flow consists of the following steps: Client prepares an Authentication Request containing the desired request parameters. Client sends the request to the Authorization Server. Authorization Server authenticates the End-User. Authorization Server obtains End-User Consent/Authorization.

Is OpenID authentication or authorization?

OIDC was developed by the OpenID Foundation, which includes companies like Google and Microsoft. While OAuth 2.0 is an authorization protocol, OIDC is an identity authentication protocol and may be used to verify the identity of a user to a client service, also called Relying Party.

What is OpenID Connect relying party?

An OIDC Relying Party is an OAuth 2.0 Client application that requires user authentication and claims from an OpenID Connect Provider. Security Access Manager supports Relying Party (RP) as part of the support of the OAuth 2.0 and OpenID Connect (OIDC) specifications.


1 Answers

You're correct, the whole azp situation in OIDC is confusing. For what's it's worth, they have an open issue associated with it; see OIDC - Issue 973 (azp claim underspecified and overreaching).

From the definition of "aud" in JWT and its use in Connect's ID Token (relevant spec text is copied below), it seems that that the client id of the client/RP that made the authentication request has to be one of the values, or the only value, of the "aud" claim in the ID Token. That's logical and consistent and provides reliable and interoperable guidance to implementers about producing and consuming the ID Token. I think that the client id of the RP/client that made the authentication request should always be represented in the aud of the returned ID Token.

The text around "azp" in the ID Token section and the ID Token Validation section seems to maybe suggest something different, however. Like perhaps that the client id of the RP/client that made the authentication request could, in some totally unspecified circumstance, be the value of the azp claim and that the aud would not identify that client as an intended recipient. Am I misinterpreting things?

Personally, from the client application developer perspective, the best course of action seems to be honoring the ID Token validation rules which always imply that the value within azp will also be present as an aud. However, according to what's available online Google seemed to use it a bit differently so you could have a value in azp not listed within aud, so there may be situations where you play by Google rules and not (just) OIDC.

If you're implementing an OP a probably good option is also to entirely stay away from including azp in your issued tokens if possible or only include it when using multiple audiences with one of them being the value also in the azp.

like image 69
João Angelo Avatar answered Sep 30 '22 03:09

João Angelo