SequeI
diff --git a/‎CHANGELOG.md
Lines changed: 3 additions & 0 deletions b/‎CHANGELOG.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎mkdocs.yml
Lines changed: 1 addition & 1 deletion b/‎mkdocs.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎sigstore/_cli.py
Lines changed: 3 additions & 3 deletions b/‎sigstore/_cli.py
Lines changed: 3 additions & 3 deletions
diff --git a/‎sigstore/oidc.py
Lines changed: 9 additions & 7 deletions b/‎sigstore/oidc.py
Lines changed: 9 additions & 7 deletions
diff --git a/‎test/conftest.py
Lines changed: 3 additions & 3 deletions b/‎test/conftest.py
Lines changed: 3 additions & 3 deletions
diff --git a/‎test/unit/conftest.py
Lines changed: 3 additions & 3 deletions b/‎test/unit/conftest.py
Lines changed: 3 additions & 3 deletions
@@ -16,6 +16,9 @@ All versions prior to 0.9.0 are untracked.
 
 * Added support for ed25519 keys.
   [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
+* API: `IdentityToken` now supports `client_id` for audience claim validation.
+  [#1402](https://github.com/sigstore/sigstore-python/pull/1402)
+
 
 ### Fixed
 
 
@@ -80,4 +80,4 @@ extra:
     - icon: fontawesome/brands/slack
       link: https://sigstore.slack.com
     - icon: fontawesome/brands/x-twitter
-      link: https://twitter.com/projectsigstore
+      link: https://twitter.com/projectsigstore
@@ -659,7 +659,7 @@ def _sign_common(
     # 3) Interactive OAuth flow
     identity: IdentityToken | None
     if args.identity_token:
-        identity = IdentityToken(args.identity_token)
+        identity = IdentityToken(args.identity_token, args.oidc_client_id)
     else:
         identity = _get_identity(args, trust_config)
 
@@ -1181,11 +1181,11 @@ def _get_identity(
 ) -> Optional[IdentityToken]:
     token = None
     if not args.oidc_disable_ambient_providers:
-        token = detect_credential()
+        token = detect_credential(args.oidc_client_id)
 
     # Happy path: we've detected an ambient credential, so we can return early.
     if token:
-        return IdentityToken(token)
+        return IdentityToken(token, args.oidc_client_id)
 
     if args.oidc_issuer is not None:
         issuer = Issuer(args.oidc_issuer)
 
@@ -41,7 +41,8 @@
     "https://oauth2.sigstage.dev/auth": "email",
     "https://token.actions.githubusercontent.com": "sub",
 }
-_DEFAULT_AUDIENCE = "sigstore"
+
+_DEFAULT_CLIENT_ID = "sigstore"
 
 
 class _OpenIDConfiguration(BaseModel):
@@ -66,7 +67,7 @@ class IdentityToken:
     a sensible subject, issuer, and audience for Sigstore purposes.
     """
 
-    def __init__(self, raw_token: str) -> None:
+    def __init__(self, raw_token: str, client_id: str = _DEFAULT_CLIENT_ID) -> None:
         """
         Create a new `IdentityToken` from the given OIDC token.
         """
@@ -90,7 +91,7 @@ def __init__(self, raw_token: str) -> None:
                     # See: https://openid.net/specs/openid-connect-basic-1_0.html#IDToken
                     "require": ["aud", "sub", "iat", "exp", "iss"],
                 },
-                audience=_DEFAULT_AUDIENCE,
+                audience=client_id,
                 # NOTE: This leeway shouldn't be strictly necessary, but is
                 # included to preempt any (small) skew between the host
                 # and the originating IdP.
@@ -270,7 +271,7 @@ def __init__(self, base_url: str) -> None:
 
     def identity_token(  # nosec: B107
         self,
-        client_id: str = "sigstore",
+        client_id: str = _DEFAULT_CLIENT_ID,
         client_secret: str = "",
         force_oob: bool = False,
     ) -> IdentityToken:
@@ -350,7 +351,7 @@ def identity_token(  # nosec: B107
         if token_error is not None:
             raise IdentityError(f"Error response from token endpoint: {token_error}")
 
-        return IdentityToken(token_json["access_token"])
+        return IdentityToken(token_json["access_token"], client_id)
 
 
 class IdentityError(Error):
@@ -402,9 +403,10 @@ def diagnostics(self) -> str:
             """
 
 
-def detect_credential() -> Optional[str]:
+def detect_credential(client_id: str = _DEFAULT_CLIENT_ID) -> Optional[str]:
     """Calls `id.detect_credential`, but wraps exceptions with our own exception type."""
+
     try:
-        return cast(Optional[str], id.detect_credential(_DEFAULT_AUDIENCE))
+        return cast(Optional[str], id.detect_credential(client_id))
     except id.IdentityError as exc:
         IdentityError.raise_from_id(exc)
@@ -22,11 +22,11 @@
     detect_credential,
 )
 
-from sigstore.oidc import _DEFAULT_AUDIENCE
-
 _ASSETS = (Path(__file__).parent / "assets").resolve()
 assert _ASSETS.is_dir()
 
+TEST_CLIENT_ID = "sigstore"
+
 
 @pytest.fixture
 def asset():
@@ -44,7 +44,7 @@ def _has_oidc_id():
         return True
 
     try:
-        token = detect_credential(_DEFAULT_AUDIENCE)
+        token = detect_credential(TEST_CLIENT_ID)
         if token is None:
             return False
     except GitHubOidcPermissionCredentialError:
 
@@ -40,7 +40,7 @@
 from sigstore._internal.trust import ClientTrustConfig
 from sigstore._utils import sha256_digest
 from sigstore.models import Bundle
-from sigstore.oidc import _DEFAULT_AUDIENCE, IdentityToken
+from sigstore.oidc import IdentityToken
 from sigstore.sign import SigningContext
 from sigstore.verify.verifier import Verifier
 
@@ -209,7 +209,7 @@ def ctx_cls():
     token = os.getenv(f"SIGSTORE_IDENTITY_TOKEN_{env}")
     if not token:
         # If the variable is not defined, try getting an ambient token.
-        token = detect_credential(_DEFAULT_AUDIENCE)
+        token = detect_credential()
 
     return ctx_cls, IdentityToken(token)
 
@@ -230,7 +230,7 @@ def signer():
     token = os.getenv("SIGSTORE_IDENTITY_TOKEN_staging")
     if not token:
         # If the variable is not defined, try getting an ambient token.
-        token = detect_credential(_DEFAULT_AUDIENCE)
+        token = detect_credential()
 
     return signer, verifier, IdentityToken(token)