Add trusted_audiences OIDC config for providers with multi-audience tokens (Zitadel)

[dsamford]

Problem

RustDesk Server Pro's OIDC implementation rejects ID tokens that contain additional values in the aud claim beyond the configured client_id. This breaks compatibility with OIDC providers that include extra audience entries by design.

Error:

Failed to verify ID token, Invalid audiences: `<project_id>` is not a trusted audience

Affected provider: Zitadel — a CNCF-listed, open-source OIDC provider popular in self-hosted environments. Zitadel always includes the project ID alongside the client ID in the aud claim for all project-scoped applications. This is by design and cannot currently be disabled.

The same issue affects other tools that use the openidconnect-rs crate with default audience validation, including Proxmox VE.

Suggested Fix

The openidconnect-rs crate's IdTokenVerifier supports set_other_audience_verifier_fn to accept additional audience values. This is a minimal change:

// Before
let verifier = id_token_verifier();

// After — trust configured additional audiences
let trusted: HashSet<String> = config.trusted_audiences.iter().cloned().collect();
let verifier = id_token_verifier()
    .set_other_audience_verifier_fn(move |aud| trusted.contains(aud.as_str()));

And a new field in the OIDC provider config (oidc_config.toml):

[providers.Zitadel]
client_id = "..."
# ...existing fields...
trusted_audiences = ["<zitadel_project_id>"]

Precedent

Vaultwarden solved this same issue by adding an SSO_AUDIENCE_TRUSTED environment variable (dani-garcia/vaultwarden#6650).

Environment

• RustDesk Server Pro: latest
• OIDC Provider: Zitadel v4.12.1
• Deployment: Kubernetes (self-hosted)