JWTs typically include an audience claim. I've read in many places (articles, code examples, the spec itself) that you must check that the token is intended for you and not another audience.
I'm happy enough to accept that. I'm not planning on building anything that sends to JWTs to the wrong audience. But I'm curious as to why it's important to reject it.
You should be able to verify that the token was issued by an authentication server that you trust. So you have to accept that the claims in there are not fabricated.
The only risk I can think off is if the auth server produced different values, for the same claim, to different audiences. Other than poor namespacing, I can't think of a reason this would happen.
E.g.
{
"aud": "foo",
"roles": ["admin"]
}
Instead of:
{
"aud": "foo",
"foo.roles": ["admin"]
}
Perhaps the question could be better phrased as:
What bad things can happen if I accept another audience's (valid) JWT token?