Hello,

The Solid project has a specification of the webid-oidc protocol [1] in which the aud field of the id_token contains the origin of the redirect_uri. This is very useful because we could check that the further restrictions based on the Origin header in the access control layer of the Solid server cannot be bypassed by simply removing the Origin header (i.e. using the token in a script).

In the mean time, I cannot help but notice that the 'azp' field contains the same information as the 'aud' field, so using it for something different would not lead to a loss of information.

Would it be feasible to do that?

[1] https://github.com/solid/webid-oidc-spec/blob/master/application-user-workflow.md

Hi @ghost,
Thanks for opening the issue!
It would be feasible to use the azp field for something else, sure. What specifically do you have in mind?

Hi @ghost, just wanted to check in to make sure this issue is still relevant for you; I'm planning to close it in about a week, if not.