Add azp claim support within nested act/sub claim structures #26678
Description
Problem
The azp (authorized party) claim is not properly handled in nested delegation chains:
- Loss of authorized party information in multi-level delegations
- Cannot track which client was originally authorized at each delegation level
- Compliance and audit trails are incomplete
- Difficult to determine authorization scope at each hop
- Security decisions cannot account for the full authorization context
Proposed Solution
Implement comprehensive azp claim support in nested structures:
- Embed azp claim within each level of nested act/sub claims
- Preserve azp through the entire delegation chain
- Add validation for azp claim consistency
- Update JWT claim processing to handle azp in nested contexts
- PRRA: Add Support nested act claim with azp and multi-audience in token request wso2-extensions/identity-inbound-auth-oauth#3028
Alternatives
No response
Please select the area issue is related to
Other
Version
No response
Developer Checklist
- [Behavioural Change] Does this change introduce a behavioral change to the product?
- ↳ Approved by team lead
- ↳ Label
impact/behavioral-changeadded - [Migration Impact] Does this change have a migration impact?
- ↳ Migration label added (e.g.,
7.2.0-migration) - ↳ Migration issues created and linked
- [New Configuration] Does this change introduce a new configuration?
- ↳ Label
configadded - ↳ Configuration is properly documented