Whether the token lists the given resource among its audiences (RFC 8707).
The spec (basic/authorization §Access Token Privilege Restriction) requires
servers to "reject tokens that do not include them in the audience claim",
so an empty audience does NOT satisfy the binding: a token must explicitly
name resource to be treated as issued for this server.
Whether the token lists the given resource among its audiences (RFC 8707). The spec (basic/authorization §Access Token Privilege Restriction) requires servers to "reject tokens that do not include them in the audience claim", so an empty audience does NOT satisfy the binding: a token must explicitly name resource to be treated as issued for this server.