feat: add support for authorized 3rd-parties (azp) (closes panva#231)

docs/README.md

@@ -207,6 +207,8 @@ Creates a new Client with the provided metadata
   - `introspection_endpoint_auth_signing_alg`: `<string>`
   - `revocation_endpoint_auth_signing_alg`: `<string>`
   - `tls_client_certificate_bound_access_tokens`: `<boolean>`
+  - `authorized_third_parties`: `<boolean|string|string[]>` additional authorized values for the
+    Authorized Party claim. Accept any value if set to true.
   - other metadata may be present but currently doesn't have any special handling
 - `jwks`: `<Object>` JWK Set formatted object with private keys used for signing client assertions
   or decrypting responses.

lib/client.js

@@ -903,11 +903,29 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       }
     }
 
-    if (payload.azp !== undefined && payload.azp !== this.client_id) {
-      throw new RPError({
-        printf: ['azp must be the client_id, expected %s, got: %s', this.client_id, payload.azp],
-        jwt,
-      });
+    if (payload.azp !== undefined) {
+      if (payload.azp === this.client_id) {
+        // Accept if issued to this client
+      } else if (!this.authorized_third_parties) {
+        // Not issued to self and no configured authorized 3rd parties
+        throw new RPError({
+          printf: ['azp must be the client_id, expected %s, got: %s', this.client_id, payload.azp],
+          jwt,
+        });
+      } else if (this.authorized_third_parties === true) {
+        // Accept any authorized party
+      } else if (typeof this.authorized_third_parties === 'string'
+             && payload.azp === this.authorized_third_parties) {
+        // values match
+      } else if (Array.isArray(this.authorized_third_parties)
+             && this.authorized_third_parties.includes(payload.azp)) {
+        // value included
+      } else {
+        throw new RPError({
+          message: 'unrecognized azp',
+          jwt,
+        });
+      }
     }
 
     let key;