Protecting an Axum app with OpenID and Zitadel

I try to protect an Axum application by using OpenID and Zitadel. I followed quite closely this quickstart and this authentication flow using PKCE. Everything works fine up until this line:

let claims = id_token.claims(&client.id_token_verifier(), &nonce)?;

It causes the following error:

> InvalidAudience("213170295903617281 is not a trusted audience")'

The client allows me to disable the check by calling required_audience_match(false) which "solves" the problem. So obviously something with the audience seems to be wrong. I checked the source code and dumped the available data just before this line and got:

Audiences:
  Audience("213170295903617281")
  Audience("213170529090208001@mydemo")
Client ID: "213170529090208001@mydemo"

The client id is correct and the one I passed to my client. There is obviously a second one returned by Zitadel. I don't know where it comes from.

Reading the Rust code of the openidconnect crate I came to the impression that it will always fail if there are multiple audiences, which looks odd to me, but I might be missing something.

Looks to me like Zitadel and the openidconnect crate do not fully agree on how OpenID is supposed to work or I'm missing something I have to setup to make it work properly.

Can somebody explain the reason for the second audience and how it is supposed to be handled?

I was having this exact problem. I noticed that the other audience was an exact match for the Zitadel resource ID of my project. Instead of using the default verifier or disabling the verifier, I called set_other_audience_verifier_fn, and passed it a function that checks if the audience is one of those two IDs. This solved my audience problem, though I now get an error about the signature verification ("NoMatchingKey"), so we'll see if I can successfully verify the token.