Provide invalid audiences in exception message #1099
Description
The audience check currently either succeeds or reports Audience doesn't match.
This makes it hard to track the incorrect audiences (either for security reasons, or for helping with migrating audiences/clients)
I don't know if that is intended, but it would be nice to have the library log the audience.
Especially because the only other way to get the used audience is to either check the audience yourself (with probably just the same logic, but that would force us to do that "critical" check ourselves) or check the token twice, once to get the token data and a second time for the audience check
The simplest way would be:
InvalidAudienceError(
"Audience "
+ str(audience_claims)
+ " is not in approved list: "
+ str(audience)
)when throwing the error.
I'm happy to provide the PR, but don't want to start something like that, if that's not wanted.