oauth2: Custom audience param in /oauth2/auth is ignored

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] This issue affects my Ory Cloud project.
[ ] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Hydra doesn't handle custom audience param in /oauth2/auth request. Only the default audience is present in ID Token by default which is the client name.

Reproducing the bug

Steps to reproduce the behavior:

Follow the 5 minute tutorial, to setup hydra.

Create client with id auth-code-client that is capable of Authorization Code Grant and audience is set to https://foo.bar.buz.

docker-compose -f quickstart.yml exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id auth-code-client \
--secret secret \
--audience "https://foo.bar.buz" \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,offline \
--callbacks http://127.0.0.1:5555/callback

Setup home route:

docker-compose -f quickstart.yml exec hydra \
hydra token user \
--client-id auth-code-client \
--client-secret secret \
--endpoint http://127.0.0.1:4444/ \
--port 5555 \
--scope openid,offline

Copy the Authorize application link.
Modify the audience parameter value to be set to https%3A%2F%2Ffoo.bar.buz, so the link should be like: http://127.0.0.1:4444/oauth2/auth?audience=https%3A%2F%2Ffoo.bar.buz&client_id=auth-code-client&max_age=0&nonce=wdhoiprayklzkvzatwowmzsp&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=jojcywqutzgnoqwbramhkjza
Copy the link from the previous step, and continue the authorization.
Copy the value of the encoded ID Token

You should receive an encoded ID Token. After decoding it on https://jwt.io/ you will get something like:

{
"at_hash": "gz3Pl_WR1EG1xViTQ2Vh-Q",
"aud": [
"auth-code-client"
],
"auth_time": 1665581337,
"exp": 1665585234,
"iat": 1665581634,
"iss": "http://127.0.0.1:4444/",
"jti": "55fc9802-e6e9-4f19-9b52-8e2ab5923b13",
"nonce": "hosviywywcflwlceuxsradyd",
"rat": 1665581629,
"sid": "095bcc88-640a-47e0-89fa-f754a576058b",
"sub": "foo@bar.com"
}

Expected Result

{
"at_hash": "gz3Pl_WR1EG1xViTQ2Vh-Q",
"aud": [
"https://foo.bar.buz"
],
"auth_time": 1665581337,
"exp": 1665585234,
"iat": 1665581634,
"iss": "http://127.0.0.1:4444/",
"jti": "55fc9802-e6e9-4f19-9b52-8e2ab5923b13",
"nonce": "hosviywywcflwlceuxsradyd",
"rat": 1665581629,
"sid": "095bcc88-640a-47e0-89fa-f754a576058b",
"sub": "foo@bar.com"
}

What is the expected behavior? Hydra should handle the audience param in /oauth2/auth request and then create an ID Token that contains a custom audience only those that were requested, and if not exist it can fall back to the current value.

Relevant log output

No response

Relevant configuration

No response

Version

v1.11.10

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker Compose

Additional Context

No response

Still an issue.

Found that the client ID is hard-coded for the ID token claims here: https://github.com/ory/hydra/blob/017ebae6e65a773f89d4f4d635e8694f83900f09/oauth2/handler.go#L1120

Regardless of correctly specifying the requested audience and the audience being allow-listed. https://github.com/ory/hydra/blob/017ebae6e65a773f89d4f4d635e8694f83900f09/oauth2/handler.go#L1076

Ironically it seems like fosite then appends the client ID again and deduplicates it: https://github.com/ory/fosite/blob/5e039ca9eef18ba5317f62760e111214bf93945f/handler/openid/strategy_jwt.go#L228

Note that it only applies for the ID token. When using:

strategies:
  access_token: jwt

The access token will set the requested audience(s).

ory / hydra