fix: aud for jwt oauth tokens no longer gets the client id pushed in

ID Tokens continue ensuring conform ID Token behaviour by forcing the
azp claim if the audience is an array and ensuring the azp value is
in the aud array. For now.

lib/helpers/defaults.js

@@ -595,7 +595,9 @@ const DEFAULTS = {
      *         throw new InvalidResource('unauthorized "resource" requested');
      *       }
      *
-     *       return transform(resourceParam, grantedResource); // => array of validated and transformed string audiences
+     *       // => array of validated and transformed string audiences or undefined if no audiences
+     *       //    are to be listed
+     *       return transform(resourceParam, grantedResource);
      *     }
      *   },
      *   formats: {

lib/helpers/ensure_conform.js

@@ -3,11 +3,12 @@ const assert = require('assert');
 module.exports = function ensureConform(audiences, clientId) {
   assert(Array.isArray(audiences), 'audiences must be an array');
 
-  const value = Array.from(audiences);
+  const value = audiences.slice();
   value.forEach((audience) => {
     assert(audience && typeof audience === 'string', 'audiences must be non-empty string values');
   });
-  if (!value.includes(clientId)) {
+
+  if (clientId && !value.includes(clientId)) {
     value.unshift(clientId);
   }
 

lib/models/mixins/set_audiences.js

@@ -2,11 +2,10 @@ const ensureConform = require('../../helpers/ensure_conform');
 
 module.exports = superclass => class extends superclass {
   setAudiences(audiences) {
-    const { clientId } = this;
     if (audiences) {
-      const value = ensureConform(audiences, clientId);
+      const value = ensureConform(audiences);
 
-      if (value.length > 1) {
+      if (value.length) {
         this.aud = value;
       }
     }