return listAud, nil
	}

	return nil, err
}

type jwtPayload struct {
	// Aud is JWT token audience - used to identify 3p tokens.
	// It is empty for the default K8S tokens.
	Aud []string `json:"aud"`
}

// ExtractJwtAud extracts the audiences from a JWT token. If aud cannot be parse, the bool will be set
// to false. This distinguishes aud=[] from not parsed.

			jwtRule:   `{"issuer": "foo", "jwks_uri": "baz", "audiences": ["aud1", "aud2"]}`,
		},
		{
			name:      "invalid jwt rule",
			expectErr: true,
			jwtRule:   "invalid",
		},
		{
			name:      "jwt rule with invalid audiences",
			expectErr: true,
			// audiences must be a string array
			jwtRule: `{"issuer": "foo", "jwks_uri": "baz", "audiences": "aud1"}`,
		},
	}

	for _, tt := range tests {

	testCases := map[string]struct {
		jwt string
		aud []string
	}{
		"no audience": {
			jwt: firstPartyJwt,
		},
		"one audience string": {
			jwt: oneAudString,
			aud: []string{"abc"},
		},
		"one audience list": {
			jwt: thirdPartyJwt,
			aud: []string{"yonggangl-istio-4.svc.id.goog"},
		},
		"two audiences list": {
			jwt: twoAudList,
			aud: []string{"abc", "xyz"},
		},
	}

		},
		{
			name:  "requestAudiencesGenerator",
			g:     requestAudiencesGenerator{},
			key:   "request.auth.audiences",
			value: "foo",
			want: yamlPrincipal(t, `
         metadata:
          filter: istio_authn
          path:
          - key: request.auth.audiences
          value:
            stringMatch:
              exact: foo`),
		},
		{
			name:  "requestPresenterGenerator",

func (in *Issuer) DeepCopyInto(out *Issuer) {
	*out = *in
	if in.DiscoveryURL != nil {
		in, out := &in.DiscoveryURL, &out.DiscoveryURL
		*out = new(string)
		**out = **in
	}
	if in.Audiences != nil {
		in, out := &in.Audiences, &out.Audiences
		*out = make([]string, len(*in))
		copy(*out, *in)
	}
	return
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.

	// neither of these are true for audit annotations set via AddAuditAnnotation.
	//
	// for audit annotations, the assumption is that for some period of time (cache TTL),
	// all requests with the same API audiences and the same bearer token result in the
	// same annotations.  This may not be true if the authenticator sets an annotation
	// based on the current time, but that may be okay since cache TTLs are generally
	// small (seconds).

	return &authenticator.Response{
		User: &user.DefaultInfo{
			Name:   "system:unsecured",
			Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
		},
		Audiences: auds,
	}, true, nil

	if o == nil {
		return
	}

	fs.StringSliceVar(&o.APIAudiences, "api-audiences", o.APIAudiences, ""+
		"Identifiers of the API. The service account token authenticator will validate that "+
		"tokens used against the API are bound to at least one of these audiences. If the "+
		"--service-account-issuer flag is configured and this flag is not, this field "+

	"k8s.io/kubernetes/pkg/registry/authentication/tokenreview"
)

type RESTStorageProvider struct {
	Authenticator authenticator.Request
	APIAudiences  authenticator.Audiences
}

func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, error) {

		audience := tokenRequest.Audience
		if _, ok := audiences[audience]; ok {
			allErrs = append(allErrs, field.Duplicate(path.Child("audience"), audience))
			continue
		}
		audiences[audience] = true

		if tokenRequest.ExpirationSeconds == nil {
			continue
		}
		if *tokenRequest.ExpirationSeconds < int64(min.Seconds()) {