I’ve read the purpose of the audience is to specify who the token was intended for.
Upon validating the token, the authorization issuer has to match. But why should we also validate that the audience matches if the authorization server and the audience is a 1 to 1 ratio in its setup? It seems like a meaningless validation step to me, unless it’s possible for an attacker to obtain a valid token with a matching authorization issuer but have a different audience. I don’t know in what scenario this would happen.
Am I completely misunderstanding something?