I took a deeper look at our audience validation logic in response to #175, and saw a few things that could be improved, using the TokenReview API docs as a reference. I still don't think the logic is 100% correct when populating the TokenReview request audiences, but I think we have made some slightly incompatible promises in the Vault API, so I'm hesitant to align completely with the intended usage.
Return 403 instead of 500 when audience validation fails
Pass our expected audience instead of the token's audience to TokenReview
Validate the TokenReview server is audience-aware by checking the returned audiences
I took a deeper look at our audience validation logic in response to #175, and saw a few things that could be improved, using the TokenReview API docs as a reference. I still don't think the logic is 100% correct when populating the TokenReview request audiences, but I think we have made some slightly incompatible promises in the Vault API, so I'm hesitant to align completely with the intended usage.