JWT-SVID: aud claim missing from most issued tokens (spec violation)

## Summary

The JWT-SVID specification (§3) requires that the \`aud\` claim **MUST** be present in every issued JWT-SVID. However, \`internal/service/credential.go\` lines 206–208 only sets \`aud\` when \`IssueRequest.Audience\` is non-empty — tokens issued without an explicit audience have no \`aud\` claim at all.

## Location

\`internal/service/credential.go\` ~L206–208

```go
if len(req.Audience) > 0 {
    claims["aud"] = req.Audience
}
```

## Impact

Tokens issued without an explicit audience fail JWT-SVID validation in any conformant verifier (e.g. \`authjwt\` client package). This is a spec-level violation that breaks interoperability.

## Fix

Default \`aud\` to the issuer URL when the caller does not specify an audience:

```go
aud := req.Audience
if len(aud) == 0 {
    aud = []string{issuerURL}
}
claims["aud"] = aud
```

## Reference

- [JWT-SVID spec §3](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#3-jwt-svid-format): "The \`aud\` claim MUST be present"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JWT-SVID: aud claim missing from most issued tokens (spec violation) #42

Summary

Location

Impact

Fix

Reference

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

JWT-SVID: aud claim missing from most issued tokens (spec violation) #42

Description

Summary

Location

Impact

Fix

Reference

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions