jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    outputPayloadToHeader: "x-test-payload"
    outputClaimToHeaders:
    - header: "x-jwt-iss"
      claim: "iss"
    - header: "x-jwt-iat"
      claim: "iat"
    - header: "x-jwt-nested-claim"
      claim: "nested.nested-2.key2"
  - issuer: "******@****.***"

  "token_type": "Bearer",
  "expires_in": 3600
}
```

### 4. JWT Claims

The id_token received is a signed JSON Web Token (JWT). Use a JWT decoder to decode the id_token to access the payload of the token that includes following JWT claims:

	// our current use of jwt.Expected above should make these cases impossible to hit
	case jwt.ErrInvalidAudience, jwt.ErrInvalidID, jwt.ErrInvalidIssuer, jwt.ErrInvalidSubject:
		klog.Errorf("service account token claim validation got unexpected validation failure: %v", err)
		return nil, fmt.Errorf("service account token claims could not be validated: %w", err) // safe to pass these errors back to the user

	default:

= vendor/github.com/golang-jwt/jwt/v4 licensed under: =

Copyright (c) 2012 Dave Grijalva
Copyright (c) 2021 golang-jwt maintainers

	"istio.io/istio/pkg/test/framework/resource/config/apply"
	"istio.io/istio/tests/common/jwt"
	"istio.io/istio/tests/integration/security/util"
)

// TestRemoteJwks tests always delegate Envoy to fetch http jwks server.
func TestRemoteJwks(t *testing.T) {
	payload1 := strings.Split(jwt.TokenIssuer1, ".")[1]
	framework.NewTest(t).
		Run(func(t framework.TestContext) {
			ns := apps.EchoNamespace.Namespace

}

type jwtPayload struct {
	// Aud is JWT token audience - used to identify 3p tokens.
	// It is empty for the default K8S tokens.
	Aud []string `json:"aud"`
}

// ExtractJwtAud extracts the audiences from a JWT token. If aud cannot be parse, the bool will be set
// to false. This distinguishes aud=[] from not parsed.
func ExtractJwtAud(jwt string) ([]string, bool) {
	jwtSplit := strings.Split(jwt, ".")
	if len(jwtSplit) != 3 {

  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    audiences:
    - "foo"
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    audiences:
    - "bar"
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:

	"istio.io/istio/pkg/config/schema/gvk"
	"istio.io/istio/pkg/jwt"
)

type JWTClaimRouteAnalyzer struct{}

var _ analysis.Analyzer = &JWTClaimRouteAnalyzer{}

// Metadata implements Analyzer
func (s *JWTClaimRouteAnalyzer) Metadata() analysis.Metadata {
	return analysis.Metadata{
		Name:        "virtualservice.JWTClaimRouteAnalyzer",
		Description: "Checks the VirtualService using JWT claim based routing has corresponding RequestAuthentication",

	"istio.io/istio/pkg/test/framework/components/jwt"
	"istio.io/istio/pkg/test/framework/components/namespace"
	"istio.io/istio/pkg/test/framework/label"
	"istio.io/istio/pkg/test/framework/resource"
	"istio.io/istio/pkg/test/util/tmpl"
	"istio.io/istio/tests/integration/security/util/cert"
)

var (
	ist       istio.Instance
	apps      deployment.SingleNamespaceView
	jwtServer jwt.Server
	echoNS    namespace.Instance

// See the License for the specific language governing permissions and
// limitations under the License.

package jwt

import (
	"istio.io/istio/pkg/test/framework"
	"istio.io/istio/pkg/test/framework/components/namespace"
	"istio.io/istio/pkg/test/framework/resource"
)

// Server for JWT tokens.
type Server interface {
	Namespace() namespace.Instance
	FQDN() string
	HTTPPort() int
	HTTPSPort() int