Support non-URL audience in third party tokens

[jbojcic1]

Currently when creating third party JWT, generateThirdPartyToken in @opensecret/react sdk, takes optional audience as a parameter. If not set, a JWT with no audience restriction will be generated. Such token does not have aud claim set in the decoded JWT payload.

If set, OpenSecret requires it to be in URL format and then the decoded JWT payload will have aud claim with that URL. If invalid (non-URL) format is passed to generateThirdPartyToken method, 400 response is returned with "bad request" message. However, this is problematic if third party systems which this token is used with require different audience value. One such example is Supabase platform where audience can refer to one of the roles in Supabase system like authenticated or anon (see Supabase aud description here) and not a URL.

Thus, Open Secret should allow other string values for audience and not just URL format.