Empty String returned in the aud claim in the ID Token in OIDC flows.

[chamathns]

Describe the issue:
After configuring an OIDC based application in the console, the returned ID token upon calling the https://localhost:9443/oauth2/token contains an empty aud claim value. The value for the aud claim in the ID Token must be trusted by the client and the value must not be null or empty string.[1]

How to reproduce:
Configure an OIDC application through the console. [2]
Try the OIDC Authorization Code grant flow. [3]
Obtain an ID token.
Parse the ID token and check the aud claim value.
With the default configurations, it should contain the client id and an empty string.

[1] https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
[2] https://is.docs.wso2.com/en/5.11.0/learn/configuring-oauth2-openid-connect/
[3] https://is.docs.wso2.com/en/5.11.0/learn/try-authorization-code-grant/

Expected behavior:

With the default configurations, the aud claim should only contain the client id of the application.

Environment information:

• Product Version: IS 5.12.0-M6

[mefarazath]

In addition to the backend fix, we need to fix the console app to avoid sending empty or duplicate audience values.