While I have used your implementation and it works like a charm I have a conceptual question maybe enhancement.
In your article you are referring to audience as the "Relying Party" as we know it which is the resource server. So that multiple resource servers can be registered with the STS and get their symmetricKeys wired up. What I don't completely get is how the registered clients fit to the picture. I am currently in a situation where I got multiple clientIds (iPhone, webAngular, android etc.) but a single relying party. To tackle the issue I got multiple audiences for each client and it works. However it is messing with my mind.
Is there a need for a separate Client
entity?
Am I missing something here?
Thanks for taking the time to put this together.