Why access token does not includes client_id or azp?

[duizabojul]

id_token got these claims but not access_token? Is there a reason for this? RFC tells client_id is required in access token.

[muhlemmer]

Hi, good question. You are right.

It seems we forget to assign the value here:

oidc/pkg/oidc/token.go

Lines 107 to 123 in 52e8b65

	func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, jwtid, clientID string, skew time.Duration) *AccessTokenClaims {
	now := time.Now().UTC().Add(-skew)
	if len(audience) == 0 {
	audience = append(audience, clientID)
	}
	return &AccessTokenClaims{
	TokenClaims: TokenClaims{
	Issuer: issuer,
	Subject: subject,
	Audience: audience,
	Expiration: FromTime(expiration),
	IssuedAt: FromTime(now),
	NotBefore: FromTime(now),
	JWTID: jwtid,
	},
	}
	}

I will convert this issue into a bug report and submit a fix. Thanks for raising!