fix(client_id): include options.client_id in authorized id_info[:aud]

[wJoenn]

Summary

In the callback phase, when a id_token is present (which can be the case when signing in from a client-side application for example) the client_id used to verify the authorization code is extracted from the id_token[:aud].

The extracted :aud is then compared to the authorized_client_ids option and used if present in that list.

This means that if no authorized_client_ids were provided in the middleware's configuration, despite there being a CLIENT_ID, the callback will fail with a invalid_client_id error.

A solution is to duplicate the client_id this way

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :apple, ENV['CLIENT_ID'], '',
           {
             authorized_client_ids: [ENV['CLIENT_ID']], # Add this
             scope: 'email name',
             team_id: ENV['TEAM_ID'],
             key_id: ENV['KEY_ID'],
             pem: ENV['PRIVATE_KEY']
           }
end

But I find this to be highly non-intuitive.

Instead I include the options.client_id when validating the :aud which solves the issue