AudienceValidator should only validate aud when it is passed

[lmsurpre]

As currently implemented, the AudienceValidation Authenticator will fail the authentication flow if the client has not passed the aud query param (which is required by SMART App Launch).

I think this is technically the correct behavior, but it turns out that this is a real pain for application clients that use standard OAuth / OIDC client libs. For example, testing the API via the Postman application's built-in OAuth 2.0 support no longer becomes possible, because there is no way to pass this special parameter.

Instead, I think a good compromise would be this:

1. For clients that omit the aud parameter: issue them a token with the audience field set appropriately (via a standard Keycloak Audience Mapper).
2. For SMART-enabled clients that pass the aud parameter, enforce that the value of this parameter matches one of the Approved Audiences configured for this authenticator.