allowed_client_ids is not supported in @endpoints.api

[Al77056]

According to documentation below, allowed_clients_id is supported in both @endpoints.api and @endpoints.method, with the specific setting override the general setting.

When I have allowed_clients_id defined in @endpoints.method and it validates the JWT fine.

When I moved allowed_clients_id to @endpoints.api, it gives the following error:

Cannot decode and verify the auth token. The backend will not be able to retrieve user info
Traceback (most recent call last):
  File "/base/data/home/apps/p~cds-dev-155819/stdendpoints:test-client-id.401183766245752589/lib/endpoints_management/control/wsgi.py", line 593, in __call__
    service_name)
  File "/base/data/home/apps/p~cds-dev-155819/stdendpoints:test-client-id.401183766245752589/lib/endpoints_management/auth/tokens.py", line 104, in authenticate
    raise suppliers.UnauthenticatedException(u"Audiences not allowed")
UnauthenticatedException: Audiences not allowed

[bigunyak]

I've just stumbled on the same bug.
The allowed_clients_id configuration doesn't work when specified in @endpoints.api level. So basically, if you set the audience argument in @endpoints.api, you can access the API with any service account that uses the same audience value when generating Google ID token and it doesn't matter what is set in allowed_clients_id.
At the same time everything works as expected when allowed_clients_id is configured in @endpoints.method.
This actually looks like a pretty serious security issue and there have been no comments on it for over eight months now. Could please someone have a look into this and at least confirm the issue?