healthChecks = append(healthChecks, oidcAuth.HealthCheck)
	}
	return &jwtAuthenticatorWithCancel{
		jwtAuthenticator: authenticator.WrapAudienceAgnosticToken(apiAudiences, tokenunion.NewFailOnError(jwtAuthenticators...)), // this handles the empty jwtAuthenticators slice case correctly
		healthCheck: func() error {
			var errs []error
			for _, check := range healthChecks {

	}
	c.claims = replace(c.claims, &v)
	c.openIDConfig = replace(c.openIDConfig, &v)
	c.options.JWTAuthenticator.Issuer.URL = replace(c.options.JWTAuthenticator.Issuer.URL, &v)
	c.options.JWTAuthenticator.Issuer.DiscoveryURL = replace(c.options.JWTAuthenticator.Issuer.DiscoveryURL, &v)
	for claim, response := range c.claimToResponseMap {
		c.claimToResponseMap[claim] = replace(response, &v)
	}

)

const (
	IDTokenAuthenticatorType = "IDTokenAuthenticator"
)

type JwtAuthenticator struct {
	// holder of a mesh configuration for dynamically updating trust domain
	meshHolder mesh.Holder
	audiences  []string
	verifier   *oidc.IDTokenVerifier
}

var _ security.Authenticator = &JwtAuthenticator{}

// newJwtAuthenticator is used when running istiod outside of a cluster, to validate the tokens using OIDC

		}
	}

	authn := &jwtAuthenticator{
		jwtAuthenticator: opts.JWTAuthenticator,
		resolver:         resolver,
		celMapper:        celMapper,
		requiredClaims:   requiredClaims,
	}
	authn.healthCheck.Store(&errorHolder{
		err: fmt.Errorf("oidc: authenticator for issuer %q is not initialized", authn.jwtAuthenticator.Issuer.URL),
	})

	issuerURL := opts.JWTAuthenticator.Issuer.URL
	if opts.KeySet != nil {

	}
	if err := s.AddGeneratedConversionFunc((*JWTAuthenticator)(nil), (*apiserver.JWTAuthenticator)(nil), func(a, b interface{}, scope conversion.Scope) error {
		return Convert_v1alpha1_JWTAuthenticator_To_apiserver_JWTAuthenticator(a.(*JWTAuthenticator), b.(*apiserver.JWTAuthenticator), scope)
	}); err != nil {
		return err
	}

	}
	if err := s.AddGeneratedConversionFunc((*JWTAuthenticator)(nil), (*apiserver.JWTAuthenticator)(nil), func(a, b interface{}, scope conversion.Scope) error {
		return Convert_v1beta1_JWTAuthenticator_To_apiserver_JWTAuthenticator(a.(*JWTAuthenticator), b.(*apiserver.JWTAuthenticator), scope)
	}); err != nil {
		return err
	}

		copy(*out, *in)
	}
	return
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticator.
func (in *JWTAuthenticator) DeepCopy() *JWTAuthenticator {
	if in == nil {
		return nil
	}
	out := new(JWTAuthenticator)
	in.DeepCopyInto(out)
	return out
}

		copy(*out, *in)
	}
	return
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticator.
func (in *JWTAuthenticator) DeepCopy() *JWTAuthenticator {
	if in == nil {
		return nil
	}
	out := new(JWTAuthenticator)
	in.DeepCopyInto(out)
	return out
}

		ClientCAContentProvider: nil, // this is nil because you can't compare functions
		TokenAuthFile:           "/testTokenFile",
		AuthenticationConfig: &apiserver.AuthenticationConfiguration{
			JWT: []apiserver.JWTAuthenticator{
				{
					Issuer: apiserver.Issuer{
						URL:       "https://testIssuerURL",
						Audiences: []string{"testClientID"},
					},
					ClaimMappings: apiserver.ClaimMappings{

		copy(*out, *in)
	}
	return
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticator.
func (in *JWTAuthenticator) DeepCopy() *JWTAuthenticator {
	if in == nil {
		return nil
	}
	out := new(JWTAuthenticator)
	in.DeepCopyInto(out)
	return out
}