diff --git a/internal/go-sso/oidcauth/config.go b/internal/go-sso/oidcauth/config.go
index 84bbac9e0cbe..a5e0e8bcb681 100644
--- a/internal/go-sso/oidcauth/config.go
+++ b/internal/go-sso/oidcauth/config.go
@@ -45,7 +45,6 @@ type Config struct {
 
 	// Comma-separated list of 'aud' claims that are valid for login; any match
 	// is sufficient
-	// TODO(sso): actually just send these down as string claims?
 	BoundAudiences []string
 
 	// Mappings of claims (key) that will be copied to a metadata field
diff --git a/internal/go-sso/oidcauth/oidc.go b/internal/go-sso/oidcauth/oidc.go
index df00dfcc25f6..cd7876251095 100644
--- a/internal/go-sso/oidcauth/oidc.go
+++ b/internal/go-sso/oidcauth/oidc.go
@@ -235,7 +235,8 @@ func (a *Authenticator) verifyOIDCToken(ctx context.Context, rawToken string) (m
 	if err := idToken.Claims(&allClaims); err != nil {
 		return nil, fmt.Errorf("unable to successfully parse all claims from token: %v", err)
 	}
-	// TODO(sso): why isn't this strict for OIDC?
+	// Follows behavior of hashicorp/vault-plugin-auth-jwt (non-strict validation).
+	// See https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/oidc#oidc-configuration-troubleshooting.
 	if err := validateAudience(a.config.BoundAudiences, idToken.Audience, false); err != nil {
 		return nil, fmt.Errorf("error validating claims: %v", err)
 	}