OIDC JWT handling: accept tokens where `aud` is a string, rather than an array

[gefjon]

This is explicitly allowed by the OIDC specification:

In the general case, the aud value is an array of case-sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.

However, per a user report, we seem to improperly handle this case.