Some deployments of OAuth-SSH may use a web app for token management rather than requiring users to install the Python wrapper scripts on their systems. In that case, the server admin may want to restrict access to tokens generated by that web app. E.g., if the web app does MFA or something that the server admin wants to be sure happened when the token was generated. So, the PAM module configuration should allow the admin to require a specific client ID in the token introspection response. (t should work similarly to the existing required IDP configuration.) Unclear whether the PAM module should look for the client ID in the aud field or in the client_id field, as Globus Auth puts the client ID in both places. Whichever is more standard among OAuth2 servers is probably best.
Some deployments of OAuth-SSH may use a web app for token management rather than requiring users to install the Python wrapper scripts on their systems. In that case, the server admin may want to restrict access to tokens generated by that web app. E.g., if the web app does MFA or something that the server admin wants to be sure happened when the token was generated. So, the PAM module configuration should allow the admin to require a specific client ID in the token introspection response. (t should work similarly to the existing required IDP configuration.) Unclear whether the PAM module should look for the client ID in the aud field or in the client_id field, as Globus Auth puts the client ID in both places. Whichever is more standard among OAuth2 servers is probably best.