Current JwtUtils.validateJwtAudienceRestriction implementation does not comply with the 'aud' claim specification. An 'aud' claim is optional - the current validation does not cater for the case when the 'aud' claim is optional i.e. when no aud claims are present, the processing principal should be allowed to process if it so chooses.
Should perhaps also consider allowing explicit audiences vs wildcards i.e. allowing a resource to also include all its sub-resources - this would reduce the token size which does not scale well if the token has to contain multiple aud claims