When using OpenID connect and JWT access token, tyk requires client_id to equal or subset aud.
A token containing
will throw validation error. (aud can be a list, but example kept simple here)
This seems to be a very rigid interpretation of the specification of audiences. There is not much value in checking that two fields within a token is equal, I would think.
Is this the way it is intended?
The code performing the validation can be found in idtokenvalidator.go, func validateAudiences