parser.add_argument("-claims", "--claims",
                        help="Other claims in format name1:value1,name2:value2 etc. Only string values are supported.")
    parser.add_argument("-jwks", "--jwks",
                        help="Path to the output file for JWKS.")
    parser.add_argument("-expire", "--expire", type=int, default=3600,
                        help="JWT expiration time in second. Default is 1 hour.")

		Path   string
		WantOK bool
	}{
		{"OIDC config path", "/.well-known/openid-configuration", true},
		{"JWKS path", "/openid/v1/jwks", true},
		{"well-known", "/.well-known", false},
		{"subpath", "/openid/v1/jwks/foo", false},
		{"query", "/openid/v1/jwks?format=yaml", true},
		{"fragment", "/openid/v1/jwks#issuer", true},
	} {
		t.Run(tt.Name, func(t *testing.T) {
			resp, err := http.Get(s.URL + tt.Path)

		if err != nil {
			log.Infof("The JWKS key is not yet fetched for issuer %s (%s), using a fake JWKS for now", jwtIssuer, jwksURI)
			// This is a temporary workaround to reject a request with JWT token by using a fake jwks when istiod failed to fetch it.
			// TODO(xulingqing): Find a better way to reject the request without using the fake jwks.
			jwtPubKey = FakeJwks
		}
	}

```bash
pip install jwcrypto
```

## Regenerate private key and JWKS (for developer use only)

1. Regenerate private key using `openssl`

    ```bash
    openssl genrsa -out key.pem 2048
    ```

1. Run gen-jwt.py with `--jkws` to create new public key set and demo JWT

    ```bash
    gen-jwt.py key.pem -jwks=./jwks.json --expire=3153600000 --claims=foo:bar > demo.jwt

	t.Helper()

	data, err := os.ReadFile(jwksFile)
	if err != nil {
		t.Fatalf("failed to read jwks: %s", err)
	}
	jwks, err := jwk.Parse(data)
	if err != nil {
		t.Fatalf("failed to parse jwks: %s", err)
	}
	var key any
	k, _ := jwks.Get(0)
	if err := k.Raw(&key); err != nil {
		t.Fatalf("failed to materialize jwks: %s", err)
	}
	return key
}

func TestSampleJwtToken(t *testing.T) {
	testCases := []struct {

  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    audiences:
    - "foo"
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    audiences:
    - "bar"
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:

    name: waypoint
  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: ignored-{{ .To.ServiceName }}
spec:
  selector:

			} else {
				model.IncLookupClusterFailures("jwks")
				// Log error and create remote JWKs with fake cluster
				authnLog.Errorf("Failed to look up Envoy cluster %v. "+
					"Please create ServiceEntry to register external JWKs server or "+
					"set PILOT_JWT_ENABLE_REMOTE_JWKS to hybrid/istiod mode.", err)

	OpenIDConfigPath = "/.well-known/openid-configuration"

	// JWKSPath is the URL path at which the API server serves a JWKS
	// containing the public keys that may be used to sign Kubernetes
	// Service Account keys.
	JWKSPath = "/openid/v1/jwks"
)

// OpenIDMetadata contains the pre-rendered responses for OIDC discovery endpoints.
type OpenIDMetadata struct {
	ConfigJSON       []byte

  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: ignored-{{ .To.ServiceName }}
spec:
  selector: