Is your feature request related to a problem? Please describe.

Currently, VerifyIDToken checks aud and azp against the same ClientID. However, id token issued by some OP, e.g. Google, can have two different client_id in aud and azp claims.

When using Google identity on Android, the azp claim is the Android app's client_id, while the aud claim is the web application's client_id, as Google's document and this discussion and this oidc spec issue. This means that id token issued by google can't pass VerifyIDToken.

Describe the solution you'd like

Make azp claim check configurable and allow user pass-in a function in NewIDTokenVerifier to specify how they want to check the claim.
e.g. an option func WithAuthorizedPartyChecker(func (azp string, aud []string) error) VerifierOption

Describe alternatives you've considered

Add an option to pass-in a list of client_id when NewIDTokenVerifier, and check azp against that list.

Additional context

The OIDC work group seems to have changed the azp validation in an errata, see https://bitbucket.org/openid/connect/src/b84078b1aeb694a79823f3de5a22315df700b22f/openid-connect-core-1_0.xml#lines-1933:1944, making it optional. But for some reason they haven't updated their website to include the errata yet.