Add integration test for default audience without resource parameter

[jhrozek]

Summary

PR #4805 fixed the empty aud claim when clients omit the RFC 8707 resource parameter, but only included unit tests. This adds an end-to-end integration test that verifies the full OAuth flow (authorize -> callback -> token exchange -> JWT validation) produces the correct audience when resource is omitted and the server has a single allowed audience.

Follows up on #4805 / Fixes #4794 (test coverage gap).

Type of change

• Bug fix (non-breaking change which fixes an issue)

Test plan

• New integration test TestIntegration_FullPKCEFlow_DefaultAudience passes
• All existing TestIntegration_FullPKCEFlow* tests still pass
• task lint-fix clean

Generated with Claude Code

[claude]

LGTM — clean integration test following existing patterns.

Extended reasoning...

Overview

Single new test function added to . No production code is changed.

Security risks

None. This is a test-only change; it exercises an existing code path (default audience selection when the RFC 8707 resource parameter is omitted) without introducing any new logic or external surface area.

Level of scrutiny

Low. The change is purely additive, follows the established pattern of every other TestIntegration_FullPKCEFlow* test in the file (same helpers, same JWT-parsing approach, same assertion style), and the exchangeCodeForTokens helper already had the //nolint:unparam annotation to accommodate callers that pass an empty resource string.

Other factors

No existing reviewer comments outstanding. No CODEOWNER-sensitive files touched. The test directly validates the fix from PR #4805 (empty aud claim regression) as described.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.05%. Comparing base (940fc7b) to head (ebd0f2c).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4818      +/-   ##
==========================================
- Coverage   69.09%   69.05%   -0.04%     
==========================================
  Files         530      530              
  Lines       55375    55375              
==========================================
- Hits        38260    38240      -20     
- Misses      14172    14191      +19     
- Partials     2943     2944       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.