Why doesn't Amazon Cognito return an audience field in its access tokens?
From my reading of the RFC I do not think that AWS is doing anything wrong, specifically (note my emphisis):
If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.
Use of this claim is OPTIONAL.
Which, I believe, means that AWS is fine, because it's simply omitting the claim in the case of the access token, but it is identifying itself (in it's own way), by setting it to client_id
when it does make the claim on the id token.
It should be noted that the access token itself does encode and enforce the audience; in that when you use it against AWS' APIs it will enforce that you only receive the resources available on the client_id/scope that it was issued for.