Add Audience field to jwt.Config

[nwidger]

Currently, the golang.org/x/oauth2/jwt package always sets the aud (audience) claim in the JWT it generates to the same value as the TokenURL field in jwt.Config. This means the package cannot be used if an authorization server expects a different value in the aud claim than that of the token endpoint URL. According to RFC 7523 Section 3 (the RFC that obsoletes draft-ietf-oauth-jwt-bearer-12 referenced in the docs for golang.org/x/oauth2/jwt):

The JWT MUST contain an "aud" (audience) claim containing a
value that identifies the authorization server as an intended
audience.  The token endpoint URL of the authorization server
MAY be used as a value for an "aud" element to identify the
authorization server as an intended audience of the JWT.

Note that the requirement that the aud claim and token endpoint URL be the same is a MAY and not a MUST.

Salesforce supports the OAuth 2.0 JWT flow, and their documentation mandates that the aud claim be different from the token endpoint URL. Specifically (in a production setting) they require that aud be set to https://login.salesforce.com and the token endpoint URL be set to https://login.salesforce.com/services/oauth2/token.

I propose adding a Audience field to jwt.Config and modifying jwtSource.Token to set claimSet.Aud to js.conf.Audience if js.conf.Audience is not an empty string, and js.conf.TokenURL otherwise. This should allow backwards-compatibility with older code while allowing more flexibility for those that need it.

[bradfitz]

Sounds reasonable.

/cc @zombiezen @rakyll

[nwidger]

Also, I'm happy to take a stab at this change if what I proposed sounds good to everyone.

[rakyll]

Sounds good to me.