Add OneOrMany contains claim validator

crates/oidc-client/src/error.rs

@@ -602,10 +602,6 @@ pub enum JwtVerificationError {
     #[error(transparent)]
     Claim(#[from] ClaimError),
 
-    /// The audience of the JWT is not this client.
-    #[error("wrong aud claim")]
-    WrongAudience,
-
     /// The algorithm used for signing the JWT is not the one that was
     /// requested.
     #[error("wrong signature alg")]

crates/oidc-client/src/requests/jose.rs

@@ -130,10 +130,7 @@ pub fn verify_signed_jwt<'a>(
     claims::ISS.extract_required_with_options(&mut claims, issuer.as_str())?;
 
     // Must have the proper audience.
-    let aud = claims::AUD.extract_required(&mut claims)?;
-    if !aud.contains(client_id) {
-        return Err(JwtVerificationError::WrongAudience);
-    }
+    claims::AUD.extract_required_with_options(&mut claims, client_id)?;
 
     // Must use the proper algorithm.
     if header.alg() != signing_algorithm {