Is API management not validating token Audience something Wanted ?

[scandinave]

Hi,

I've seen that management API does not validate the token audience. The AudienceRule is not applied in the DelegatedAuthenticationExtension. I think it must be done like it is in the Oauth2ServiceExtension otherwise the Management API will authorize tokens emitted by the correct Authorization Server but intended for a different resources serveur protected with the authorization server

Do I miss something?