diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java
index dfdbd511f8f2..69d03a478bc5 100644
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java
@@ -35,6 +35,7 @@ public class JwtDecoder
      * @param jwt the JWT to decode.
      * @return the map of claims encoded in the JWT.
      */
+    @SuppressWarnings("unchecked")
     public static Map<String, Object> decode(String jwt)
     {
         if (LOG.isDebugEnabled())
@@ -54,7 +55,6 @@ public static Map<String, Object> decode(String jwt)
         Object parsedJwtHeader = json.fromJSON(jwtHeaderString);
         if (!(parsedJwtHeader instanceof Map))
             throw new IllegalStateException("Invalid JWT header");
-        @SuppressWarnings("unchecked")
         Map<String, Object> jwtHeader = (Map<String, Object>)parsedJwtHeader;
         if (LOG.isDebugEnabled())
             LOG.debug("JWT Header: {}", jwtHeader);
diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
index c87ef1604f26..ccc26d70989b 100644
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@@ -15,6 +15,7 @@
 
 import java.io.Serializable;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
@@ -45,6 +46,14 @@ public class OpenIdCredentials implements Serializable
     private String authCode;
     private Map<String, Object> response;
     private Map<String, Object> claims;
+    private boolean verified = false;
+
+    public OpenIdCredentials(Map<String, Object> claims)
+    {
+        this.redirectUri = null;
+        this.authCode = null;
+        this.claims = claims;
+    }
 
     public OpenIdCredentials(String authCode, String redirectUri)
     {
@@ -95,7 +104,6 @@ public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception
                 claims = JwtDecoder.decode(idToken);
                 if (LOG.isDebugEnabled())
                     LOG.debug("claims {}", claims);
-                validateClaims(configuration);
             }
             finally
             {
@@ -103,6 +111,12 @@ public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception
                 authCode = null;
             }
         }
+
+        if (!verified)
+        {
+            validateClaims(configuration);
+            verified = true;
+        }
     }
 
     private void validateClaims(OpenIdConfiguration configuration) throws Exception
@@ -138,10 +152,11 @@ private void validateAudience(OpenIdConfiguration configuration) throws Authenti
             throw new AuthenticationException("Audience Claim MUST contain the client_id value");
         else if (isList)
         {
-            if (!Arrays.asList((Object[])aud).contains(clientId))
+            List<Object> list = Arrays.asList((Object[])aud);
+            if (!list.contains(clientId))
                 throw new AuthenticationException("Audience Claim MUST contain the client_id value");
 
-            if (claims.get("azp") == null)
+            if (list.size() > 1 && claims.get("azp") == null)
                 throw new AuthenticationException("A multi-audience ID token needs to contain an azp claim");
         }
         else if (!isValidType)
diff --git a/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java
new file mode 100644
index 000000000000..18ac12841f46
--- /dev/null
+++ b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java
@@ -0,0 +1,40 @@
+//
+// ========================================================================
+// Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+package org.eclipse.jetty.security.openid;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.eclipse.jetty.client.HttpClient;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+
+public class OpenIdCredentialsTest
+{
+    @Test
+    public void testSingleAudienceValueInArray() throws Exception
+    {
+        String issuer = "myIssuer123";
+        String clientId = "myClientId456";
+        OpenIdConfiguration configuration = new OpenIdConfiguration(issuer, "", "", clientId, "", new HttpClient());
+
+        Map<String, Object> claims = new HashMap<>();
+        claims.put("iss", issuer);
+        claims.put("aud", new String[]{clientId});
+        claims.put("exp", System.currentTimeMillis() + 5000);
+
+        assertDoesNotThrow(() -> new OpenIdCredentials(claims).redeemAuthCode(configuration));
+    }
+}