Issue Summary

When configuring custom OIDC audiences in Bitbucket Pipelines, the expected behavior is that the specified audiences appear in the aud claim of the BITBUCKET_STEP_OIDC_TOKEN variable, as described in Bitbucket Pipelines OIDC now supports multiple audiences - Inside Atlassian. However, when using Dynamic Pipeline Provider (DPP), the custom audiences are not present in the token.

Steps to Reproduce

• Configure a Bitbucket pipeline step with custom OIDC audiences using the documented syntax:

• oidc:
    audiences:
      - "custom-audience" 

• Use the step in:

• • An inline pipeline (works as expected)

• • An imported pipeline (works as expected)

• • A pipeline using Dynamic Pipeline Provider (DPP) (bug occurs)

• In the DPP scenario, decode the BITBUCKET_STEP_OIDC_TOKEN and inspect the aud claim

Expected Results

The aud claim in the OIDC token should include the custom audience(s) specified in the pipeline configuration.

Actual Results

When using DPP, the custom audiences are stripped from the configuration. The pipeline config mutates to oidc: true (instead of containing the audiences array), and the resulting OIDC token only contains the default audience.

Workaround

The only current workaround is not to use Dynamic Pipeline Provider (DPP) in repositories that require custom OIDC audiences. Use inline or imported pipelines without DPP if custom audiences are needed.