Skip to content

feat: add azp claim #1945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add azp claim #1945

wants to merge 3 commits into from
+6 −1

Conversation

roee-hersh
Copy link

Description

Add support for the azp (Authorized Party) claim in JWT token client ID extraction to improve compatibility with OpenID Connect standard implementations.

Problem: The current JWT verifier only checks client_id and sub claims when extracting the client identifier from JWT tokens. However, many identity providers (including Keycloak, Auth0, and other enterprise OIDC implementations) use the azp claim to represent the client application ID, as defined in the OpenID Connect Core 1.0 specification.

Solution: Extended the client ID extraction fallback chain to include the azp claim:

# Before
client_id = claims.get("client_id") or claims.get("sub") or "unknown"

# After  
client_id = claims.get("client_id") or claims.get("azp") or claims.get("sub") or "unknown"

This change maintains full backwards compatibility while supporting standard OIDC implementations that rely on the azp claim for client identification.

Contributors Checklist

Review Checklist

  • I have self-reviewed my changes
  • My Pull Request is ready for review

Note: You'll need to create an issue first describing this enhancement before submitting the PR, and then update the issue number in the checklist above.

@marvin-context-protocol marvin-context-protocol bot added enhancement Improvement to existing functionality. For issues and smaller PR improvements. auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. labels Sep 29, 2025
jlowin
jlowin requested changes Sep 29, 2025
View reviewed changes
Copy link
Owner

@jlowin jlowin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense to me, can you please add a unit test to confirm its loaded as expected?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlowin jlowin jlowin requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. enhancement Improvement to existing functionality. For issues and smaller PR improvements.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for azp claim in JWT client ID extraction
2 participants
@roee-hersh @jlowin