fix: allow audience claim to be an array (#12810)

Some incorrect setups might have multiple audiences
where they are trying to use a single authentication
endpoint for multiple services.

Nevertheless OpenID spec allows it to make it
even more confusin for no good reason.

> It MUST contain the OAuth 2.0 client_id of the
> Relying Party as an audience value. It MAY also
> contain identifiers for other audiences. In the
> general case, the aud value is an array of case
> sensitive strings. In the common special case
> when there is one audience, the aud value MAY
> be a single case sensitive string.

fixes #12809

docs/sts/web-identity.py

@@ -64,19 +64,20 @@ def callback():
 
     data = {'grant_type': 'authorization_code',
             'code': authorization_code, 'redirect_uri': callback_uri}
-    access_token_response = requests.post(
-        token_url, data=data, verify=False, allow_redirects=False, auth=(client_id, client_secret))
+    id_token_response = requests.post(
+        token_url, data=data, verify=False,
+        allow_redirects=False, auth=(client_id, client_secret))
 
-    print('body: ' + access_token_response.text)
+    print('body: ' + id_token_response.text)
 
-    # we can now use the access_token as much as we want to access protected resources.
-    tokens = json.loads(access_token_response.text)
-    access_token = tokens['access_token']
+    # we can now use the id_token as much as we want to access protected resources.
+    tokens = json.loads(id_token_response.text)
+    id_token = tokens['id_token']
 
     response = sts_client.assume_role_with_web_identity(
         RoleArn='arn:aws:iam::123456789012:user/svc-internal-api',
         RoleSessionName='test',
-        WebIdentityToken=access_token,
+        WebIdentityToken=id_token,
         DurationSeconds=3600
     )