Add in the "aud" claim.

... ensure we're dealing with our tokens.

src/Event/StompHeaderEvent.php

@@ -11,7 +11,7 @@
 /**
  * Event used to build headers for STOMP.
  */
-class StompHeaderEvent implements StompHeaderEventInterface {
+class StompHeaderEvent extends Event implements StompHeaderEventInterface {
 
   /**
    * Stashed entity, for context.

src/EventGenerator/EmitEvent.php

@@ -9,11 +9,13 @@
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
 use Drupal\Core\Session\AccountInterface;
+use Drupal\islandora\Event\StompHeaderEvent;
 use Drupal\islandora\Event\StompHeaderEventException;
 use Stomp\Exception\StompException;
 use Stomp\StatefulStomp;
 use Stomp\Transport\Message;
 use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 
 /**
  * Configurable action base for actions that publish messages to queues.

src/EventSubscriber/JwtEventSubscriber.php

@@ -19,6 +19,8 @@
  */
 class JwtEventSubscriber implements EventSubscriberInterface {
 
+  const AUDIENCE = 'islandora';
+
   /**
    * User storage to load users.
    *
@@ -100,6 +102,7 @@ public function setIslandoraClaims(JwtAuthGenerateEvent $event) {
     $event->addClaim('sub', $this->currentUser->getAccountName());
     $event->addClaim('roles', $this->currentUser->getRoles(FALSE));
 
+    $event->addClaim('aud', [static::AUDIENCE]);
   }
 
   /**
@@ -111,6 +114,10 @@ public function setIslandoraClaims(JwtAuthGenerateEvent $event) {
   public function validate(JwtAuthValidateEvent $event) {
     $token = $event->getToken();
 
+    if (!in_array(static::AUDIENCE, $token->getClaim('aud'), TRUE)) {
+      $event->invalidate('Missing audience entry.');
+    }
+
     $uid = $token->getClaim('webid');
     $name = $token->getClaim('sub');
     $roles = $token->getClaim('roles');