delayedJWSSignaturePatch bool
		expectedError            bool
	}{
		{
			// This is the default behavior. The JWS signature is patched after the cluster-info ConfigMap is created
			name:        "valid: retrieve a valid kubeconfig with CA verification and delayed JWS signature",
			tokenID:     "123456",
			tokenSecret: "abcdef1234567890",
			cfg: &kubeadmapi.Discovery{

				klog.V(1).Infof("[discovery] Retrying due to error: %v", lastError)
				return false, nil
			}
			// Even if the ConfigMap is available the JWS signature is patched-in a bit later.
			if _, ok := cm.Data[bootstrapapi.JWSSignatureKeyPrefix+token.ID]; !ok {
				lastError = errors.Errorf("could not find a JWS signature in the cluster-info ConfigMap"+
					" for token ID %q", token.ID)
				klog.V(1).Infof("[discovery] Retrying due to error: %v", lastError)

    - https://github.com/istio/istio/issues/28742

releaseNotes:
- |
  **Added** Configuring Envoy to fetch the Jwks by it self. This should be enabled if the JwksUri is a mesh cluster URL for mTLS and other benefits like retries, jws caching etc. 

// limitations under the License.

package jwt

import (
	"encoding/json"
	"os"
	"reflect"
	"testing"

	"github.com/lestrrat-go/jwx/jwa"
	"github.com/lestrrat-go/jwx/jwk"
	"github.com/lestrrat-go/jwx/jws"
)

func getKey(jwksFile string, t *testing.T) any {
	t.Helper()

	data, err := os.ReadFile(jwksFile)
	if err != nil {
		t.Fatalf("failed to read jwks: %s", err)
	}
	jwks, err := jwk.Parse(data)

	clientset "k8s.io/client-go/kubernetes"
	corelisters "k8s.io/client-go/listers/core/v1"
	"k8s.io/client-go/tools/cache"
	"k8s.io/client-go/util/workqueue"
	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
	jws "k8s.io/cluster-bootstrap/token/jws"
	api "k8s.io/kubernetes/pkg/apis/core"
)

// SignerOptions contains options for the Signer
type SignerOptions struct {
	// ConfigMapNamespace is the namespace of the ConfigMap

func checkJSONWebSignatureHasKeyID(t *testing.T, jwsString string, expectedKeyID string) {
	jws, err := jose.ParseSigned(jwsString)
	if err != nil {
		t.Fatalf("Error checking for key ID: couldn't parse token: %v", err)
	}

	if jws.Signatures[0].Header.KeyID != expectedKeyID {
		t.Errorf("Token %q has the wrong KeyID (got %q, want %q)", jwsString, jws.Signatures[0].Header.KeyID, expectedKeyID)
	}
}

	jws, err := jose.ParseSigned(jwt)
	if err != nil {
		return nil, err
	}
	if len(jws.Signatures) == 0 {
		return nil, fmt.Errorf("jwt contained no signatures")
	}
	kid := jws.Signatures[0].Header.KeyID

	for _, key := range s.keys {
		if key.KeyID == kid {
			return jws.Verify(key)
		}
	}

// serialization format and the "iss" claim matches the iss field of this token
// authenticator, and otherwise returns false.
//
// Note: go-jose currently does not allow access to unverified JWS payloads.
// See https://github.com/square/go-jose/issues/169
func (j *jwtTokenAuthenticator) hasCorrectIssuer(tokenData string) bool {
	if strings.HasPrefix(strings.TrimSpace(tokenData), "{") {
		return false
	}

  /**
   * For <a href="https://tools.ietf.org/html/rfc7515">JWS or JWE objects using the Compact
   * Serialization</a>.
   *
   * @since 27.1
   */
  public static final MediaType JOSE = createConstant(APPLICATION_TYPE, "jose");

  /**
   * For <a href="https://tools.ietf.org/html/rfc7515">JWS or JWE objects using the JSON
   * Serialization</a>.
   *
   * @since 27.1
   */

  /**
   * For <a href="https://tools.ietf.org/html/rfc7515">JWS or JWE objects using the Compact
   * Serialization</a>.
   *
   * @since 27.1
   */
  public static final MediaType JOSE = createConstant(APPLICATION_TYPE, "jose");

  /**
   * For <a href="https://tools.ietf.org/html/rfc7515">JWS or JWE objects using the JSON
   * Serialization</a>.
   *
   * @since 27.1
   */