Fix audience and scopes when using WIF and non-default universes.

[juliocc]

Fixes #521

[R2wenD2]

I have one question about the scope change.

[juliocc]

I have one question about the scope change.

I somehow missed the notification. I've answered the question inline.

[MPV]

@juliocc Thanks for your efforts on this.

In the meanwhile, we tried the workaround listed here:

• Audience seems to be ignored #521 (comment)

...but went back to running on top of your work here in this PR, but also noted that the action doesn't write the universe_domain to the credfile:

• auth/src/client/workload_identity_federation.ts

  Lines 185 to 200 in fc21748

  	const data: Record<string, any> = {
  	type: `external_account`,
  	audience: this.#audience,
  	subject_token_type: `urn:ietf:params:oauth:token-type:jwt`,
  	token_url: `${this._endpoints.sts}/token`,
  	credential_source: {
  	url: requestURL,
  	headers: {
  	Authorization: `Bearer ${this.#githubOIDCTokenRequestToken}`,
  	},
  	format: {
  	type: `json`,
  	subject_token_field_name: `value`,
  	},
  	},
  	};

...so we had to do some juggling like this:

...to make it work with Terraform, which otherwise failed with:

Error: Universe domain mismatch: 'masked-sovereign-domain.here' supplied directly to Terraform with no matching universe domain in credentials. Credentials with no 'universe_domain' set are assumed to be in the default universe.