// as the sole audience. The azp value is a case sensitive
		// string containing a StringOrURI value
		azpValues, ok := policy.GetValuesFromClaims(claims, azpClaim)
		if !ok {
			return errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
		}
		if !azpValues.Contains(pCfg.ClientID) {
			return errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")