Difference between 'aud' and 'iss' in jwt

Question

I want to implement a more robust authentication service and jwt is a big part of what I want to do, and I understand how to write the code, but I'm having a little trouble understanding the difference between the reserved iss and aud claims. I understand that the one defines the server that is issuing out the token and the one refers to the application that is intended for use. But the way I understand that is that my audience and issuer are the same thing myserver.com is issuing the token so that people who come to myserver.com can be authorized and authenticated. I guess I don't see the differentiation between the two claims, although I know there is one.
There was a good article written at msdn on all of the reserved claims and that's where I got most confused because they had their issuer and audience completely different.

Answer 1

These are intended for scenarios where you have a token issuing authority that is not the same as the application that is the intended recipient.

This may not be different for your application.

But consider a large scaled application. You might have an OAuth or SSO server that's issuing the certificates, and an application that wants a token that shows the SSO server has checked the user's credentials and has approved the user to use the application. In that case, you might have a token with "aud": "aud.example.com" and "iss": "sso.example.com".