diff --git a/core/src/main/java/org/keycloak/RSATokenVerifier.java b/core/src/main/java/org/keycloak/RSATokenVerifier.java
index da258c3051..da23ff9816 100755
--- a/core/src/main/java/org/keycloak/RSATokenVerifier.java
+++ b/core/src/main/java/org/keycloak/RSATokenVerifier.java
@@ -35,7 +35,7 @@ public class RSATokenVerifier {
         if (user == null) {
             throw new VerificationException("Token user was null.");
         }
-        if (!realm.equals(token.getAudience())) {
+        if (!realm.equals(token.getIssuer())) {
             throw new VerificationException("Token audience doesn't match domain.");
 
         }
diff --git a/core/src/test/java/org/keycloak/RSAVerifierTest.java b/core/src/test/java/org/keycloak/RSAVerifierTest.java
index 5e87780457..cb39c6fa70 100755
--- a/core/src/test/java/org/keycloak/RSAVerifierTest.java
+++ b/core/src/test/java/org/keycloak/RSAVerifierTest.java
@@ -72,7 +72,7 @@ public class RSAVerifierTest {
 
         token = new AccessToken();
         token.subject("CN=Client")
-                .audience("domain")
+                .issuer("domain")
                 .addAccess("service").addRole("admin");
     }
 
@@ -213,7 +213,7 @@ public class RSAVerifierTest {
     public void testTokenAuth() throws Exception {
         token = new AccessToken();
         token.subject("CN=Client")
-                .audience("domain")
+                .issuer("domain")
                 .addAccess("service").addRole("admin").verifyCaller(true);
 
         String encoded = new JWSBuilder()
diff --git a/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml
index 777378947f..78d947c8fa 100755
--- a/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml
+++ b/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml
@@ -5,8 +5,8 @@
         <itemizedlist>
             <listitem>UserSessionModel JPA and Mongo storage schema has changed as these interfaces have been refactored</listitem>
             <listitem>
-                Upgrade your adapters as REST API has changed.  We're still supporting older adapters for now, but in future
-                versions this backward compatibility will be removed.
+                Upgrade your adapters.  We interpreted JSON Web Token and OIDC ID Token specification incorrectly.  'aud'
+                claim must be the client id, we were storing the realm name in there and validating it.
             </listitem>
         </itemizedlist>
     </sect1>
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
index 33485b0ed1..4434a544bc 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@@ -222,7 +222,7 @@ public class TokenManager {
         IDToken token = new IDToken();
         token.id(KeycloakModelUtils.generateId());
         token.subject(user.getId());
-        token.audience(realm.getName());
+        token.audience(claimer.getClientId());
         token.issuedNow();
         token.issuedFor(client.getUsername());
         token.issuer(realm.getName());
@@ -239,7 +239,7 @@ public class TokenManager {
         AccessToken token = new AccessToken();
         token.id(KeycloakModelUtils.generateId());
         token.subject(user.getId());
-        token.audience(realm.getName());
+        token.audience(client.getClientId());
         token.issuedNow();
         token.issuedFor(client.getClientId());
         token.issuer(realm.getName());
@@ -343,7 +343,7 @@ public class TokenManager {
             idToken = new IDToken();
             idToken.id(KeycloakModelUtils.generateId());
             idToken.subject(accessToken.getSubject());
-            idToken.audience(realm.getName());
+            idToken.audience(client.getClientId());
             idToken.issuedNow();
             idToken.issuedFor(accessToken.getIssuedFor());
             idToken.issuer(accessToken.getIssuer());
diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index a8e4b6b664..9dbfbead89 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -107,7 +107,7 @@ public class AuthenticationManager {
         token.id(KeycloakModelUtils.generateId());
         token.issuedNow();
         token.subject(user.getId());
-        token.audience(realm.getName());
+        token.issuer(realm.getName());
         if (session != null) {
             token.setSessionState(session.getId());
         }
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
index 79f5f9edc3..8368fc3d40 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
@@ -140,7 +140,7 @@ public class AdminRoot {
         } catch (IOException e) {
             throw new UnauthorizedException("Bearer token format error");
         }
-        String realmName = token.getAudience();
+        String realmName = token.getIssuer();
         RealmManager realmManager = new RealmManager(session);
         RealmModel realm = realmManager.getRealmByName(realmName);
         if (realm == null) {