[management] Fix role change in transaction and update readme (#5060)

management/internals/server/config/config.go

@@ -102,6 +102,9 @@ type HttpServerConfig struct {
 	CertKey string
 	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
 	AuthAudience string
+	// CLIAuthAudience identifies the client app recipients that the JWT is intended for (aud in JWT)
+	// Used only in conjunction with EmbeddedIdP
+	CLIAuthAudience string
 	// AuthIssuer identifies principal that issued the JWT
 	AuthIssuer string
 	// AuthUserIDClaim is the name of the claim that used as user ID

management/internals/shared/grpc/conversion.go

@@ -428,9 +428,13 @@ func buildJWTConfig(config *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfi
 		keysLocation = strings.TrimSuffix(issuer, "/") + "/.well-known/jwks.json"
 	}
 
+	audience := config.AuthAudience
+	if config.CLIAuthAudience != "" {
+		audience = config.CLIAuthAudience
+	}
 	return &proto.JWTConfig{
 		Issuer:       issuer,
-		Audience:     config.AuthAudience,
+		Audience:     audience,
 		KeysLocation: keysLocation,
 	}
 }