Make audience checking optional in JWT verification as per RFC7519 4.1.3

[arpit-jn]

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR makes the audience claim validation optional in JWT verification. When no audience is configured, tokens without an audience claim will be accepted, following the RFC7519 section 4.1.3 specification which states the "aud" (audience) claim is optional.

Changes

• Removed assertion requiring audience parameter in JwtVerifierOptions
• Updated audience validation logic to skip validation when no audience is provided
• Added proper documentation explaining the optional nature of audience validation
• Updated tests to verify correct behavior with and without audience

References

#144

Testing

• Added test case for missing audience claim when no audience is specified
• Added test case to verify tokens without audience are rejected when audience is configured
• Verified existing tests pass with these changes
• Manually tested token validation with and without audience claims
• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch