Multiple Entries in "aud" error

[tydalforce]

Preface, I'm a server admin and rather technical, but relatively inexperienced working with OpenID so forgive me if I'm missing something obvious or get some terminology jumbled

I've got mod_auth_openidc mostly configured correctly in an environment, but getting a frustrating error / failure when the provider redirects back to my server:

[Tue Oct 01 18:39:05.293947 2024] [auth_openidc:error] [pid 14087:tid 14101] [client 11.11.11.111:52053] oidc_proto_idtoken_validate_aud_and_azp: our configured client_id (de7a47f6fc184b8f8adb4fa70c6ec3a5) was found in the array of values for "aud" claim, but there are other unknown/untrusted values included as well, referer: https://xxxxxxx.identity.mycompany.com/
[Tue Oct 01 18:39:05.293957 2024] [auth_openidc:error] [pid 14087:tid 14101] [client 11.11.11.111:52053] oidc_proto_idtoken_parse: id_token payload could not be validated, aborting, referer: https://xxxxxxx.identity.mycompany.com/

With debug logging enabled, I can see the id_token json, and I do see "aud" in there with two values:

"aud":["https:\/\/identity.mycompany.com\/","de7a47f6fc184b8f8adb4fa70c6ec3a5"],

That particular hostname doesn't directly resolve to an IP; the actual servers are all in the form "xxxxxxx.identity.mycompany.com/"; I don't know if this matters.

I was trying to figure out if there was a parameter or filter I could set to get past this, or if I'd misconfigured something?

As a test, I did find this bit of logic in the code, in id_token.c, in oidc_proto_idtoken_validate_aud_and_azp:

                    if (json_array_size(aud) > 1) {
                            oidc_error(
                                r,
                                "our configured client_id (%s) was found in the array of values "
                                "for \"%s\" claim, but there are other unknown/untrusted values included as well",
                                oidc_cfg_provider_client_id_get(provider), OIDC_CLAIM_AUD);
                            return FALSE;
                    }

If I comment out that section and rebuild, it seems to work fine (so far!).
Things I've tried (not necessarily all at once):

OIDCUserInfoClaimsExpr '. + { aud: (.aud - (.aud | map(select(contains("mycompany"))))) }'
OIDCUserInfoClaimsExpr 'del(.aud)'
OIDCFilterClaimsExpr '. + { aud: (.aud - (.aud | map(select(contains("mycompany"))))) }'
OIDCFilterClaimsExpr 'del(.aud)'
OIDCRedirectURLsAllowed ^https://(\w+).identity.mycompany.com

What am I missing here?

[zandbelt]

what Identity Provider software are you using?

[tydalforce]

It's Oracle IDCS
I'm following along in #1272 and I think your idea of modifying the aud validation would solve my problem too. We posted about the same time; if I'd seen that post when I started writing mine I would have just commented along in there but >just< missed it. I am content to close out this thread and consolidate into that one