refactor: jwt client authentication audience is now an issuer identifier string

If needed this can be reverted using the `extras.clientAssertionPayload` option.

Author: panva

lib/helpers/client.js

@@ -92,17 +92,14 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
     case 'private_key_jwt':
     case 'client_secret_jwt': {
       const timestamp = now();
-      const audience = [
-        ...new Set([this.issuer.issuer, this.issuer.token_endpoint].filter(Boolean)),
-      ];
 
       const assertion = await clientAssertion.call(this, endpoint, {
         iat: timestamp,
         exp: timestamp + 60,
         jti: random(),
         iss: this.client_id,
         sub: this.client_id,
-        aud: audience,
+        aud: this.issuer.issuer,
         ...clientAssertionPayload,
       });