feat: Enable global disabling of verifying client id against aud on jwt

[philipgough]

No description provided.

[squat]

What is the use-case here? Does this resolve any outstanding issues?
I've seen people ask for something like this before, but most of the time, disabling this is wrong and is simply a way to bypass a misconfiguration in infrastructure.

For more complex auth scenarios where Observatorium is a middleman, the IdP should be configured to return a list of valid client IDs in the aud claim so we can verify that our token is in the list. Without this check, we run the risk of hitting well-known security holes where tokens are forwarded to apps that they were not intended for, resulting in privilege escalation.

The OIDC spec is really clear that the aud claim needs to be checked and MUST include the client ID.
In general, skirting around security best practices is concerning to me and if we were to go through with this, I think we should add a clear warning by renaming the flag to be something like --insecure-oidc.skip-client-id-check, as go projects often do with insecure-skip-verify

[philipgough]

For more complex auth scenarios where Observatorium is a middleman, the IdP should be configured to return a list of valid client IDs in the aud claim so we can verify that our token is in the list.

yeah i suppose this was the use case. we dont have direct control over the IdP ourselves. But your right, it is an internal/infra problem rather than something we should merge here. Ill close it