`aud` Claim in ServiceClient should not assume it is always equal to getOAuth2AccessTokenUrl

[screambeard]

According to the IMSGlobal spec (https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant): "...the authorization server MAY instruct the Consumer to use the token endpoint URL of the authorization server as a value for an aud element..."

Not all platforms do this. For example, Brightspace has a separate audiance value. Brightspace OAuth2 Audience is https://api.brightspace.com/auth/token and its Brightspace OAuth2 Access Token URL is https://auth.brightspace.com/core/connect/token

In the current implementation of the ServiceClient the aud is set equal to the platform->getOAuth2AccessTokenUrl() value. I propose to set it equal to the platform->getAudience() value.

The piece of code to be changed is: https://github.com/oat-sa/lib-lti1p3-core/blob/b6d1e061cba84a5ca50ec934be8151f5f1f2e7e3/src/Service/Client/ServiceClient.php#L180

[ekkinox]

Hello @screambeard , thx for reporting this issue.

I'm currently working on a new major core release 3.0.0, this will be included.

I'll ping you here once available.

[ekkinox]

@screambeard: Released in 3.0.0 => https://github.com/oat-sa/lib-lti1p3-core/releases/tag/3.0.0