validate token aud before accepting authentication

[ricardogsilva]

This PR modifies the authentication backend in order to only allow logging in if the access token's aud claim contains one of the trusted audiences.

Trusted audiences can be defined in the already existing setting settings.OIDC_AUTH["OIDC_AUDIENCES]

Other implementation notes

• The client_id of the current django project is automatizally added to the OIDC_AUDIENCES list if not already there

• According to the openid-connect spec, a token's aud claim can be either a list or a string. This PR handles both cases

• The check for a valid access token is done inside the get_user_by_id function in order to make it available also for users that are logging in via django-rest-framework, with the drf-oidc-auth package

[ricardogsilva]

Seems like I made some git mistake while trying to apply this PR into my own fork... I'll try to undo things in order to have just the relevant changes be a part of this PR.

[ricardogsilva]

I'm closing this PR and submitting a new one with only the relevant modifications...

[ricardogsilva]

new PR

https://github.com/jhuapl-boss/boss-oidc/pull/27