// Audiences are audience identifiers chosen by the authenticator that are
	// compatible with both the TokenReview and token. An identifier is any
	// identifier in the intersection of the TokenReviewSpec audiences and the
	// token's audiences. A client of the TokenReview API that sets the
	// spec.audiences field should validate that a compatible audience identifier

				"username": "jane",
				"exp": %d
			}`, valid.Unix()),
			wantErr: `oidc: verify token: oidc: expected audience "my-client" got ["not-my-client"]`,
		},
		{
			// ID tokens may contain multiple audiences:
			// https://openid.net/specs/openid-connect-core-1_0.html#IDToken
			name: "multiple-audiences",
			options: Options{
				JWTAuthenticator: apiserver.JWTAuthenticator{
					Issuer: apiserver.Issuer{

# - Allow request with valid JWT token to access path /jwt1
# - Allow request with valid JWT token of presenter bar to access path with suffix "/presenter"
# - Allow request with valid JWT token of audiences foo to access path with suffix "/audiences"

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"

          notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"]
        - key: "request.auth.audiences"
          values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"]
          notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"]
        - key: "request.auth.presenter"
          values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"]

	ksa := parts[3]
	if !checkAudience(sa.Aud, j.audiences) {
		return nil, fmt.Errorf("invalid audiences %v", sa.Aud)
	}
	return &security.Caller{
		AuthSource: security.AuthSourceIDToken,
		Identities: []string{spiffe.MustGenSpiffeURI(j.meshHolder.Mesh(), ns, ksa)},
	}, nil
}

// checkAudience() returns true if the audiences to check are in
// the expected audiences. Otherwise, return false.

                - metadata:
                    filter: istio_authn
                    path:
                    - key: request.auth.audiences
                    value:
                      stringMatch:
                        suffix: -suffix-audiences
                - metadata:
                    filter: istio_authn
                    path:
                    - key: request.auth.audiences

    controller: true
    kind: kindValue
    name: nameValue
    uid: uidValue
  resourceVersion: resourceVersionValue
  selfLink: selfLinkValue
  uid: uidValue
spec:
  audiences:
  - audiencesValue
  token: tokenValue
status:
  audiences:
  - audiencesValue
  authenticated: true
  error: errorValue
  user:
    extra:
      extraKey:
      - extraValue
    groups:
    - groupsValue
    uid: uidValue

		},
		{
			name:          "api audience matching response audience",
			apiAuds:       authenticator.Audiences([]string{"other"}),
			respAuds:      []string{"other"},
			expectSuccess: true,
		},
		{
			name:          "api audience non-matching response audience",
			apiAuds:       authenticator.Audiences([]string{"other"}),
			respAuds:      []string{"some"},
			expectSuccess: false,
		},
	}

		{
			name:        "valid audience with MatchAny policy",
			in:          []string{"audience"},
			matchPolicy: "MatchAny",
			want:        "",
		},
		{
			name:        "duplicate audience",
			in:          []string{"audience", "audience"},
			matchPolicy: "MatchAny",
			want:        `issuer.audiences[1]: Duplicate value: "audience"`,
		},
		{
			name: "match policy not set with multiple audiences",

  "spec": {
    "token": "tokenValue",
    "audiences": [
      "audiencesValue"
    ]
  },
  "status": {
    "authenticated": true,
    "user": {
      "username": "usernameValue",
      "uid": "uidValue",
      "groups": [
        "groupsValue"
      ],
      "extra": {
        "extraKey": [
          "extraValue"
        ]
      }
    },
    "audiences": [
      "audiencesValue"
    ],