Add support for multiple audiences

[DerKnerd]

The OIDC provider Zitadel returns multiple audiences. Since I use Zitadel I added the option to have more than one audience in the configuration. If none are provided the client_id is used as only valid audience.

[ctron]

Thanks for submitting the PR! That's definitely useful!

I am just wondering if we could simplify this a bit. To my understanding, calling set_other_audience_verifier_fn is a check in addition to checking the client_id already. So we could rename the valid_audiences to additional_required_audiences (or something like that), give it a type of Vec<_> (instead of the additional Option, and then either omit calling set_other_audience_verifier_fn, or return true if the Vec is empty.

What do you think?

[DerKnerd]

Yeah I think that sounds like a good point. I just used that way in a different server side actix code 😄

[ctron]

I am taking a look at this right now, trying to get it merged.

Just for my understanding: the idea of the set_other_audience_verifier_fn is, to verify each audience present in the token, right? so actually it would not be "additional required audiences", but "additional allowed audiences"?

[DerKnerd]

Yeah that is about it. That is why the client id is always required.

[ctron]

Cool, so the change is released with 0.10.1, maybe you can give it a try and report back if that works for you.

[DerKnerd]

I need to see when I get to it. For the current project I moved the auth into the actix server and its session.