// identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier
  // is returned in the status.audiences field to ensure that the TokenReview
  // server is audience aware. If a TokenReview returns an empty
  // status.audience field where status.authenticated is "true", the token is

        authentication_attempts{result="failure"} 1
				`,
		},
		{
			desc: "auth failed due to audiences not intersecting",
			response: &authenticator.Response{
				User:      &user.DefaultInfo{Name: "admin"},
				Audiences: authenticator.Audiences{"audience-x"},
			},
			status:      true,
			apiAudience: authenticator.Audiences{"audience-y"},
			want: `
        # HELP authentication_attempts [ALPHA] Counter of authenticated attempts.

# - Allow request with valid JWT token to access path /jwt1
# - Allow request with valid JWT token of presenter bar to access path with suffix "/presenter"
# - Allow request with valid JWT token of audiences foo to access path with suffix "/audiences"

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"

          notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"]
        - key: "request.auth.audiences"
          values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"]
          notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"]
        - key: "request.auth.presenter"
          values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"]

	ksa := parts[3]
	if !checkAudience(sa.Aud, j.audiences) {
		return nil, fmt.Errorf("invalid audiences %v", sa.Aud)
	}
	return &security.Caller{
		AuthSource: security.AuthSourceIDToken,
		Identities: []string{spiffe.MustGenSpiffeURI(j.meshHolder.Mesh(), ns, ksa)},
	}, nil
}

// checkAudience() returns true if the audiences to check are in
// the expected audiences. Otherwise, return false.

			if err != nil {
				klog.ErrorS(err, "Unable to authenticate the request")
			}
			failed.ServeHTTP(w, req)
			return
		}

		if !audiencesAreAcceptable(apiAuds, resp.Audiences) {
			err = fmt.Errorf("unable to match the audience: %v , accepted: %v", resp.Audiences, apiAuds)
			klog.Error(err)
			failed.ServeHTTP(w, req)
			return
		}

		// authorization header is not required anymore in case of a successful authentication.

  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    audiences:
    - "foo"
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
    audiences:
    - "bar"
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ .To.ServiceName }}-part2

	return authenticationv1beta1.TokenReviewStatus{
		Authenticated: in.Authenticated,
		User:          v1UserToV1beta1User(in.User),
		Audiences:     in.Audiences,
		Error:         in.Error,
	}
}

func v1UserToV1beta1User(u authenticationv1.UserInfo) authenticationv1beta1.UserInfo {
	var extra map[string]authenticationv1beta1.ExtraValue
	if u.Extra != nil {

	tokenNamespace, tokenServiceAccount string, audiences []string, expirationSeconds int64,
) (*authenticationv1.TokenRequest, error) {
	return client.Kube().CoreV1().ServiceAccounts(tokenNamespace).CreateToken(ctx, tokenServiceAccount,
		&authenticationv1.TokenRequest{
			Spec: authenticationv1.TokenRequestSpec{
				Audiences:         audiences,
				ExpirationSeconds: &expirationSeconds,
			},

// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TokenRequestSpec) DeepCopyInto(out *TokenRequestSpec) {
	*out = *in
	if in.Audiences != nil {
		in, out := &in.Audiences, &out.Audiences
		*out = make([]string, len(*in))
		copy(*out, *in)
	}
	if in.ExpirationSeconds != nil {
		in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
		*out = new(int64)