This is possible follow-up of #35505 .

This task is about the ability to reject the token request in case of unavailabe audience is requested in the audience parameter.

We currently reject the request in case of audience parameter references client_id of non-existing client. However we don't reject the request in case of client_id is valid, but audience is not added to the token scopes.

For the discussion and more context, see:

• Example 3 under this document
• Question 4 under this document

Implementation note

With the PR for #35505, I've already added TODO in the code for reject the request in case of unavailable audience. Besides uncommenting/updating this code, some updates will be needed in the test. Especially:

• ClientTokenExchangeAudienceAndScopesTest.test03_scopeParamIncludedAudienceIncluded_unavailableAudience (it mimics the example 3 from the document above. This task is about updating the "ignore" approach to use "reject" approach and hence test will need some update as well)
• StandardTokenExchangeV2Test (I think more updates will be needed for this test. Maybe it is the question whether to do Consider making StandardTokenExchangeV2Test to be independent of StandardTokenExchangeV1Test #37105 beforehand or together with this task?)