Consider any azp claim when validating aud.

openid · Aug 8, 2019 · cf5b15a · cf5b15a
1 parent ae38a4a
commit cf5b15a
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/Source/OIDAuthorizationService.m b/Source/OIDAuthorizationService.m
@@ -574,10 +574,12 @@ + (void)performTokenRequest:(OIDTokenRequest *)request
         return;
       }
 
-      // OpenID Connect Core Section 3.1.3.7. rule #3
-      // Validates that the audience of the ID Token matches the client ID.
+      // OpenID Connect Core Section 3.1.3.7. rule #3 & Section 2 azp Claim
+      // Validates that the aud (audience) Claim contains the client ID, or that the azp
+      // (authorized party) Claim matches the client ID.
       NSString *clientID = tokenResponse.request.clientID;
-      if (![idToken.audience containsObject:clientID]) {
+      if (![idToken.audience containsObject:clientID] &&
+          ![idToken.claims[@"azp"] isEqualToString:clientID]) {
         NSError *invalidIDToken =
           [OIDErrorUtilities errorWithCode:OIDErrorCodeIDTokenFailedValidationError
                            underlyingError:nil