Support audience parameter for the introspection endpoint

[mitar]

Preflight checklist

• [x] I could not find a solution in the existing issues, docs, nor discussions.
• [x] I agree to follow this project's Code of Conduct.
• [x] I have read and am following this repository's Contribution Guidelines.
• [x] I have joined the Ory Community Slack.
• [x] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

This is a followup to discussion in this issue. I am for now opening an issue to not forget, I might do a PR in the future.

If you are using introspection endpoint to validate tokens (to check if they should be accepted) then you should also pass audience parameter to check that the given token is for expected audience. This solves the problem of one using access token meant for one audience to gain access to another audience (both tokens are valid, just audience is different).

Describe your ideal solution

Introspection endpoint should also accept audience parameter which would force access tokens passed to it to match the expected audience.

Workarounds or alternatives

After calling introspection endpoint, the caller can manually inspect if the audience in the response matches expected audience, but that is error prone.

Version

latest master branch

Additional Context

No response