The audiences config field was only used for bearer token validation via
KeycloakAuthLayer but completely ignored in the auth code flow. The
openidconnect crate's id_token_verifier() defaults to rejecting all
audiences that aren't the client_id, causing "is not a trusted audience"
errors when the ID token contains additional audiences.

Store the configured audiences in OidcClient and use
set_other_audience_verifier_fn to trust them during ID token validation.