Unfortunately, adding the audience and setting up the API still seems insufficient — I’m still receiving a JWE in return.
It wouldn’t be a problem if I could verify it on the backend — in fact, I’d even say it would be safer that way.
Here’s the updated code in the exchange_code_for_token method:
let body = format!(
"grant_type=authorization_code\
&client_id={client_id}\
&code={code}\
&redirect_uri={redirect_url_url_encoding}\
&code_verifier={verifier}\
&audience={audience_url_encoding}",
);