revert: restore aud claim as string-only in SSOTokenGenerator

Ninerian · Opencode · GitHub Copilot · Ninerian · commit fd0260049bca · 2026-04-01T18:24:13.000+02:00
Co-Authored-By: Opencode &lt;opencode@noreply.opencode.ai&gt;
Co-Authored-By: GitHub Copilot &lt;copilot@noreply.github.com&gt;
diff --git a/src/SSOTokenGenerator.php b/src/SSOTokenGenerator.php
@@ -54,22 +54,8 @@ private static function buildToken(Configuration $config, array $tokenData): Tok
         $builder = $config->builder();
         // Validate and coerce required registered claims to the expected types
         $audience = $tokenData[SSOData\SharedClaimsInterface::CLAIM_AUDIENCE] ?? '';
-        if (is_string($audience)) {
-            if ($audience === '') {
-                throw new \InvalidArgumentException('aud claim must be a non-empty string or array for token generation');
-            }
-            /** @var non-empty-list<non-empty-string> $audiences */
-            $audiences = [$audience];
-        } elseif (is_array($audience) && $audience !== []) {
-            foreach ($audience as $aud) {
-                if (!is_string($aud) || $aud === '') {
-                    throw new \InvalidArgumentException('aud claim array must contain only non-empty strings for token generation');
-                }
-            }
-            /** @var non-empty-list<non-empty-string> $audiences */
-            $audiences = array_values($audience);
-        } else {
-            throw new \InvalidArgumentException('aud claim must be a non-empty string or array for token generation');
+        if (!is_string($audience) || $audience === '') {
+            throw new \InvalidArgumentException('aud claim must be a non-empty string for token generation');
         }
 
         $issuedAt = $tokenData[SSOData\SharedClaimsInterface::CLAIM_ISSUED_AT] ?? null;
@@ -88,7 +74,7 @@ private static function buildToken(Configuration $config, array $tokenData): Tok
         }
 
         $token = $builder
-            ->permittedFor(...$audiences)
+            ->permittedFor($audience)
             ->issuedAt($issuedAt)
             ->canOnlyBeUsedAfter($notBefore)
             ->expiresAt($expiresAt);
