RFC7523: Allow associating an audience allow list to a public key trust.

[trondhauge85]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

When creating a public key trust, it should be possible to restrict access to a limited set of audiences. Currently, some third-party clients are authorized to issue tokens for a subset of our customers, which they use to access our APIs. While we can limit their actions through associated scopes, we cannot restrict their access to specific endpoints. Therefore, it would be beneficial to be able to associate one or more audiences with a public key, thus containing requests to a limited number of endpoints.

Describe your ideal solution

Add an additional method "GetPublicKeyAudiences" to the RFC7523KeyStorage interface. The rfc7523 handler should then check if that method returns an audience and throw an exception if the token request contains audiences that are not on the allow list. If the audience list is nil (or empty?) all audiences in the token request should be granted.

Workarounds or alternatives

We are running a modified version of fosite which has implemented this feature.

Version

v0.44.0

Additional Context

I am willing to have a go at implementing this feature to help get it into a coming release.