Add ability to disable JWT audience checking in ESPv2

[hravnaas]

We have the need to at least temporarily disable the JWT "aud" claim check in ESPv2. My organization does not currently include the "aud" claim and it will be a slow process to get it added. Also, it'd just be a static string used in all tokens so it would provide very little value if any all all.

It seems that the JWT RFC calls out "aud" as optional. I've tried removing aud from the token and x-google-audiences from the OpenAPI doc, but I'm getting the "Audience not allowed" error still. Same error when using x-google-audiences: "", so setting it to an empty string. I can however get an empty string to work if I use x-google-audiences: "," but that still requires the aud claim to be present in the token, so "aud: ""

The JWT is only used internally in our org. It will not be used externally.

As mentioned above, with the RFC labeling "aud" as optional, it seems appropriate that ESPv2 would allow it to truly be optional. See statement here.

Works: securityDefinitions: jwt_company: authorizationUrl: "https://www.company.com" flow: "implicit" type: "oauth2" x-google-issuer: "company.com" x-google-jwks_uri: "https://storage.googleapis.com/somefile.json" x-google-audiences: "webserver.company.com"

Fails (no x-google-audiences) securityDefinitions: jwt_company: authorizationUrl: "https://www.company.com" flow: "implicit" type: "oauth2" x-google-issuer: "company.com" x-google-jwks_uri: "https://storage.googleapis.com/somefile.json"

If aud is missing, the default service name seems to be added in today: https://github.com/GoogleCloudPlatform/esp-v2/blob/master/src/go/configgenerator/filterconfig/filter_gen_jwt_authn.go#L118

Perhaps a solution could be to allow both an empty string or no aud claim at all if this was provided: x-google-audiences: ""