Should "aud" claim be required for Access JWT?

[maximivanov]

If I'm not missing anything, currently JWT access token verification will fail if it doesn't have aud claim:

jose/lib/jwt/verify.js

Line 110 in 75e331d

throw new TypeError('"audience" option is required to validate a JWT Access Token')

This is the case with access tokens issued by AWS Cognito. They have client_id but not aud.

I found this SO question https://stackoverflow.com/questions/53148711/why-doesnt-amazon-cognito-return-an-audience-field-in-its-access-tokens. One of the answers raises a point that aud doesn't seem to be required by specification.

Looking at https://tools.ietf.org/html/rfc7519#section-4.1.3, the verbiage is:

If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.
...
Use of this claim is OPTIONAL.

What's your take on this?

[panva]

This is the profile that’s referenced by the readme to be validated with the jwt+AT profile

https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt

Other proprietary implementations should not be using the profile option and be validated as a generic JWT with options as demanded by the producer