Support custom audience in access token

[sergiodxa]

Right now, the access token JWT uses the client_id as the aud (audience) value. The audience value can be the client (typically only for id tokens), but it can also be used to indicate the resource server (the API) that will receive and validate the token.

Providers like Auth0 let you pass an audience value as a search param when going to the authorization endpoint, so the JWT can be generated for that intended audience.

It would be nice if OpenAuth added support for this so it can be used not only with clients validating the token but also resource servers validating the token received from the client.

Another thing is that the audience can be a string or an array of strings in case the client requested a token to be used with multiple audiences (resources server).

I think either the issuer accepts any audience value, or there could be an optional function that receives the client_id and the required audience and we can implement validation there to know if the client_id can access that audience.