diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
index d174a8252..1d0f33478 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
@@ -340,7 +340,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 				
 				claimsSet.setIssuer(clientConfig.getClientId());
 				claimsSet.setSubject(clientConfig.getClientId());
-				claimsSet.setAudience(Lists.newArrayList(serverConfig.getIssuer()));
+				claimsSet.setAudience(Lists.newArrayList(serverConfig.getTokenEndpointUri()));
 
 				// TODO: make this configurable
 				Date exp = new Date(System.currentTimeMillis() + (60 * 1000)); // auth good for 60 seconds
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
index eb3b1f179..9c7c7e0af 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
@@ -174,8 +174,8 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
 			// check audience
 			if (jwtClaims.getAudience() == null) {
 				throw new AuthenticationServiceException("Assertion token audience is null");
-			} else if (!jwtClaims.getAudience().contains(config.getIssuer())) {
-				throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " got " + jwtClaims.getAudience());
+			} else if (!(jwtClaims.getAudience().contains(config.getIssuer()) || jwtClaims.getAudience().contains(config.getIssuer() + "token"))) {
+				throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " or " + (config.getIssuer() + "token") + " got " + jwtClaims.getAudience());
 			}
 
 			// IFF we managed to get all the way down here, the token is valid