Hello,

It seems there is a bug / issue / lack of feature with the audience validation logic. If you pass a list of audiences, it must be in all of them, not just one. I believe it's not "standard" to allow multiple audiences as is done with the Issuer claim.

Please see the logic on line 415

vs the logic on line 421

Would it be possible to give us the option to validate all or at least one? Its unclear to me why we have a list for aud, and a single value for issuer, but thats neither here nor there, can we simply check if one exists? Not sure if this would need a broader vetting, or perhaps a new api to check for at least one vs all?

Could we simply tweak like 415 with Collections.disjoint(audience, value); instead of !audience.containsAll(value);