Hi @herry
There is a draft spec for OAuth access tokens that discusses the client_id field:
The client_id field is just the azp field by a different name (the azp field was probably added to the access token before the draft spec was published).
So that is why it is there.
As long as you follow the recommended checks (which do not include client_id or azp) you are doing the right thing.
John