From cf5b15a6e02ee509c5966c5dacbc45a0bef7c5cf Mon Sep 17 00:00:00 2001
From: Peter Andrews <petea@jhu.edu>
Date: Thu, 18 Jul 2019 12:17:22 -0700
Subject: [PATCH] Consider any azp claim when validating aud.

---
 Source/OIDAuthorizationService.m | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Source/OIDAuthorizationService.m b/Source/OIDAuthorizationService.m
index 53c521e8e..cc749a3f9 100644
--- a/Source/OIDAuthorizationService.m
+++ b/Source/OIDAuthorizationService.m
@@ -574,10 +574,12 @@ + (void)performTokenRequest:(OIDTokenRequest *)request
         return;
       }
 
-      // OpenID Connect Core Section 3.1.3.7. rule #3
-      // Validates that the audience of the ID Token matches the client ID.
+      // OpenID Connect Core Section 3.1.3.7. rule #3 & Section 2 azp Claim
+      // Validates that the aud (audience) Claim contains the client ID, or that the azp
+      // (authorized party) Claim matches the client ID.
       NSString *clientID = tokenResponse.request.clientID;
-      if (![idToken.audience containsObject:clientID]) {
+      if (![idToken.audience containsObject:clientID] &&
+          ![idToken.claims[@"azp"] isEqualToString:clientID]) {
         NSError *invalidIDToken =
           [OIDErrorUtilities errorWithCode:OIDErrorCodeIDTokenFailedValidationError
                            underlyingError:nil