jwt:         thirdPartyJwt,
			expectedExp: time.Date(2020, time.April, 5, 10, 13, 54, 0, time.FixedZone("PDT", -int((7*time.Hour).Seconds()))),
			expectedErr: nil,
		},
		"jwt with no expiration time": {
			jwt:         firstPartyJwt,
			expectedExp: time.Time{},
			expectedErr: nil,
		},
		"invalid jwt": {
			jwt:         "invalid-section1.invalid-section2.invalid-section3",
			expectedExp: time.Time{},

	testCases := map[string]struct {
		jwt            string
		now            time.Time
		expectedRotate bool
	}{
		"remaining life time is in grace period": {
			jwt:            thirdPartyJwt,
			now:            jwtExp.Add(time.Duration(-10) * time.Minute),
			expectedRotate: true,
		},
		"remaining life time is not in grace period": {
			jwt:            thirdPartyJwt,

) (*security.Options, error) {
	jwtPath := constants.ThirdPartyJwtPath
	switch jwtPolicy {
	case jwt.PolicyThirdParty:
		log.Info("JWT policy is third-party-jwt")
		jwtPath = constants.ThirdPartyJwtPath
	case jwt.PolicyFirstParty:
		log.Warnf("Using deprecated JWT policy 'first-party-jwt'; treating as 'third-party-jwt'")
		jwtPath = constants.ThirdPartyJwtPath
	default:
		log.Info("Using existing certs")
	}

	o := secOpt

                        Only string values are supported.
```

## Example

Here is an example of using sa-jwt.py to generate a JWT token.

```bash
./sa-jwt.py /path/to/service_account.json -iss ******@****.*** -aud foo,bar
./sa-jwt.py /path/to/service_account.json -iss ******@****.*** -aud foo,bar -claims key1:value1,key2:value2

							prefix: "[No JWT]",
							jwt:    "",
							path:   "/token1",
							allow:  false,
						},
						{
							prefix: "[No JWT]",
							jwt:    "",
							path:   "/token2",
							allow:  false,
						},
						{
							prefix: "[Token1]",
							jwt:    jwt.TokenIssuer1, path: "/token1", allow: true,
						},
						{
							prefix: "[Token1]",
							jwt:    jwt.TokenIssuer1,

	}
	// Create an expired JWT token
	expiredStr := strconv.FormatInt(time.Now().Add(-time.Hour).Unix(), 10)
	expiredClaims := `{"iss": "` + server.URL + `", "aud": ["baz.svc.id.goog"], "sub": "system:serviceaccount:bar:foo", "exp": ` + expiredStr + `}`
	expiredToken, err := generateJWT(&key, []byte(expiredClaims))
	if err != nil {
		t.Fatalf("failed to generate an expired JWT: %v", err)
	}

    - to: # checks only a call 443 over istio mutual without JWT
        - operation:
            hosts: [ "{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to: # checks workload can call 443 over istio mutual with JWT
        - operation:
            hosts: [ "jwt-only.com" ]
      from:
        - source:

								WithAuthz(jwt.TokenExpired).
								Build()
							opts.Check = check.Status(http.StatusUnauthorized)
						},
					},
					{
						name: "allow with sub-1 token on any.com",
						customizeCall: func(opts *echo.CallOptions, to echo.Target) {
							opts.HTTP.Path = "/"
							opts.HTTP.Headers = headers.New().
								WithHost(fmt.Sprintf("any-request-principal-ok.%s.com", to.ServiceName())).
								WithAuthz(jwt.TokenIssuer1).

}

// untrustedIssuer extracts an untrusted "iss" claim from the given JWT token,
// or returns an error if the token can not be parsed.  Since the JWT is not
// verified, the returned issuer should not be trusted.
func untrustedIssuer(token string) (string, error) {
	if strings.HasPrefix(strings.TrimSpace(token), "{") {
		return "", fmt.Errorf("token is not compact JWT")
	}
	parts := strings.Split(token, ".")
	if len(parts) != 3 {

#   limitations under the License.

# build a jwt-server binary using the golang container
FROM golang:1.19 as builder
WORKDIR /go/src/istio.io/jwt-server/
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o jwt-server main.go

FROM gcr.io/distroless/static-debian11@sha256:21d3f84a4f37c36199fd07ad5544dcafecc17776e3f3628baf9a57c8c0181b3f as distroless

WORKDIR /bin/