Spring Security Configure audience of JWT in PRIVATE_KET_JWT client authentication

Expected Behavior

although rfc7523#section-3 say the token url MAY be used as the aud claim values, it's not required to be this value, some systems expect this to be the issuer url rather than the token endpoint url.

could we provide an override Function<ClientRegistration, String> that extracts the desired value from the registration?

Current Behavior

NimbusJwtClientAuthenticationParametersConverter

JwtClaimsSet.Builder claimsBuilder = JwtClaimsSet.builder()
        .issuer(clientRegistration.getClientId())
        .subject(clientRegistration.getClientId())
        .audience(Collections.singletonList(clientRegistration.getProviderDetails().getTokenUri()))
        .id(UUID.randomUUID().toString())
        .issuedAt(issuedAt)
        .expiresAt(expiresAt);

Context

Integrating with Forgerock as an IDP using PRIVATE_KET_JWT client where the aud claim of the signed jwt is expected to be the issuer url

Comment From: jgrandja

Closing as duplicate of gh-9855