Banks not supporting multiple AUD in client assertion for private_key_jwt client assertion
What did you do?
Some banks are not accepting an array of audience values as part of the client assertion grant. There is a test for this as part of the request object but not as part of the private key jwt
What did you expect would happen?
Bank accept the aud array
What did happen?
Bank rejected array.
Please reference and quote any relevant OAuth2 / OpenID Connect / FAPI specification clauses that support your expectations
https://tools.ietf.org/html/rfc7521#section-5.1
Audience A value that identifies the party or parties intended to process the assertion. The URL of the token endpoint, as defined in Section 3.2 of OAuth 2.0 [RFC6749], can be used to indicate that the authorization server is a valid intended audience of the assertion. In the absence of an application profile specifying otherwise, compliant applications MUST compare the Audience values using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986].
If you believe a failure the conformance suite is reporting is not a valid failure, you MUST include a hyperlink for the exact section of the relevant specification that explains how the behaviour of your software is compliant, and you MUST include a quote of the exact clause/phrase you are relying on