When a KnoxToken service configuration includes a particular audience or list of audiences it is intended for use with endpoints that are protected by a provider that will validate that it/they are contained in the audience claims of the token.
This is done so that tokens issued by a KnoxToken service in a particular topology can be used only with specifically configured topologies. This can be used to constrain the number of services that clients have access to.
JWTFederationFilter currently does not validate the presence of the expected audience claims.
Must try and leverage existing code for the same capabilities from within the SSOCookieProvider.