node      *core.Node
		exp       int64
		warnafter int64
		aud       []string
		err       string
		// desired
		sc *jwt.Claims
		pc *privateClaims

		featureJTI, featurePodNodeInfo, featureNodeBinding bool
	}{
		{
			// pod and secret
			sa:  sa,
			pod: pod,
			sec: sec,
			// really fast
			exp: 0,
			// nil audience
			aud: nil,
			err: "internal error, token can only be bound to one object type",

	// Payload {
	//  "aud": foo,
	//  "exp": 4732994801,
	//  "iat": 1579394801,
	//  "iss": "******@****.***",
	//  "sub": "sub-1"
	// }
	// Generated by: security/tools/jwt/samples/gen-jwt.py tests/common/jwt/key.pem -jwks=tests/common/jwt/jwks.json
	// --expire=3153600000 --iss=******@****.*** --sub=sub-1 --aud=foo
	// nolint: lll

							check.Status(http.StatusUnauthorized))
					},
				},
			}))

			t.NewSubTest("aud").Run(newTest("testdata/requestauthn/aud.yaml.tmpl", []testCase{
				{
					name: "invalid-aud",
					customizeCall: func(_ framework.TestContext, _ echo.Instance, opts *echo.CallOptions) {
						opts.HTTP.Path = "/valid-aud"
						opts.HTTP.Headers = headers.New().WithAuthz(jwt.TokenIssuer1).Build()

	iss := trustedIssuer.Get()
	aud := audience.Get()

	token, err := os.ReadFile(securityModel.ThirdPartyJwtPath)
	if err == nil {
		tok, err := detectAuthEnv(string(token))
		if err != nil {
			log.Warnf("Starting with invalid K8S JWT token: %v", err)
		} else {
			if iss == "" {
				iss = tok.Iss
			}
			if len(tok.Aud) > 0 && len(aud) == 0 {
				aud = tok.Aud[0]
			}
		}
	}

		if debugPrint {
			fmt.Printf("handler: Got Connect Req %+v\n", cReq)
		}
		writeErr(remote.handleIncoming(ctx, conn, cReq))
	}
}

// AuthFn should provide an authentication string for the given aud.
type AuthFn func(aud string) string

// Connection will return the connection for the specified host.
// If the host does not exist nil will be returned.
func (m *Manager) Connection(host string) *Connection {

    # Istiod is the default
    pilotCertProvider: istiod
    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca
    sts:
      # The service port used by Security Token Service (STS) server to handle token exchange requests.

    # Istiod is the default
    pilotCertProvider: istiod

    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca

    sts:

                                regex: .+
            - metadata:
                filter: envoy.filters.http.jwt_authn
                path:
                - key: payload
                - key: aud
                value:
                  orMatch:
                    valueMatchers:
                    - listMatch:
                        oneOf:
                          orMatch:

        projected:
          sources:
          - serviceAccountToken:
              path: istio-token
              expirationSeconds: 43200
              audience: {{ .Values.global.sds.token.aud }}
      {{- if eq .Values.global.pilotCertProvider "istiod" }}
      - name: istiod-ca-cert
        configMap:
          name: istio-ca-root-cert
      {{- end }}
      {{- if .Values.global.imagePullSecrets }}

        projected:
          sources:
          - serviceAccountToken:
              path: istio-token
              expirationSeconds: 43200
              audience: {{ .Values.global.sds.token.aud }}
      {{- if .Values.global.mountMtlsCerts }}
      # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
      - name: istio-certs
        secret: