Wrong "aud" (Audience) claim validation

[dadrus]

Preflight checklist

• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines."
• I could not find a solution in the existing issues, docs, nor discussions.

Describe the bug

Citing RFC-7519, section 4.1.3:

the audience claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim.

The same is also true for the "aud" claim from the introspection endpoint response (see RFC-7662).

Since the aforementioned principals do not need to know each other, the principal must not reject the token if it encounters further audience references, it does not understand. Heimdall currently expects however all audiences to be known.

So if a token contains an "aud" claim with the values foo, bar and heimdall is configured to expect bar, the assertion will fail leading to failed authentication.

The implementation should adhere to the requirements from the RFCs referenced above.

How can the bug be reproduced

See example given above

Relevant log output

No response

Relevant configuration

No response

Version

v0.13.0-alpha

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response