Support multiple audience values in issued JWT access tokens #2211
Description
Current Limitation
Thunder issues JWT access tokens with a single-value aud claim, set to the OAuth application's client ID. RFC 8707 allows clients to pass multiple resource parameters in a single authorization or token request, indicating the token should be valid at multiple Resource Servers. RFC 7519 (JWT) supports aud as either a single string or an array of strings, but Thunder currently has no way to issue tokens with multiple audience values. This blocks full RFC 8707 compliance for multi-resource token requests.
Suggested Improvement
Support issuing JWT access tokens with an aud claim containing an array of Resource Server URIs when multiple resource parameters are present in the request. When a single resource is requested, aud should remain a single string for backward compatibility. Token introspection responses should also reflect multi-audience values. The token's effective permissions should be downscoped to the union of permissions relevant to the requested Resource Servers, and the effective scope should be communicated in the token response per RFC 6749 Section 5.1 when it differs from the requested scope.