A key security aspect of OIDC tokens is that an issuer provide them with audience fields specific to the third-party they will be used to autheniticate with.
For example: A token issued to authenticate to AWS should have an audience set to
for example.
This ensure that tokens issued to authenticate with one party and not abused to authenticate against a different one should the token be leaked accidentally.
It would be awesome if the OIDC tokens now injected into builds in the CIRCLE_OIDC_TOKEN environment variable could have specific audiences set instead of the current Org UUID which provide no additional meaningful information to create policy information against (indeed it is already encoded in the subject).