// We take implicit audiences of the API server at WebhookTokenAuthenticator
	// construction time. The outline of how we validate audience here is:
	//
	// * if the ctx is not audience limited, don't do any audience validation.
	// * if ctx is audience-limited, add the audiences to the tokenreview spec
	//   * if the tokenreview returns with audiences in the status that intersect

  optional UserInfo user = 2;

  // Audiences are audience identifiers chosen by the authenticator that are
  // compatible with both the TokenReview and token. An identifier is any
  // identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier

  // identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier
  // is returned in the status.audiences field to ensure that the TokenReview
  // server is audience aware. If a TokenReview returns an empty
  // status.audience field where status.authenticated is "true", the token is

  // identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier
  // is returned in the status.audiences field to ensure that the TokenReview
  // server is audience aware. If a TokenReview returns an empty
  // status.audience field where status.authenticated is "true", the token is

		},
		{
			description:  "bad audiences",
			implicitAuds: apiAuds,
			reqAuds:      authenticator.Audiences{"other"},
			serverResponse: authenticationv1beta1.TokenReviewStatus{
				Authenticated: false,
			},
			expectedAuthenticated: false,
		},
		{
			description:  "bad audiences",
			implicitAuds: apiAuds,
			reqAuds:      authenticator.Audiences{"other"},

func (v *idTokenVerifier) verifyAudience(t *oidc.IDToken) error {
	// We validate audience field is not empty in the authentication configuration.
	// This check ensures callers of "Verify" using idTokenVerifier are not passing
	// an empty audience.
	if v.audiences.Len() == 0 {
		return fmt.Errorf("oidc: invalid configuration, audiences cannot be empty")
	}

        authentication_attempts{result="failure"} 1
				`,
		},
		{
			desc: "auth failed due to audiences not intersecting",
			response: &authenticator.Response{
				User:      &user.DefaultInfo{Name: "admin"},
				Audiences: authenticator.Audiences{"audience-x"},
			},
			status:      true,
			apiAudience: authenticator.Audiences{"audience-y"},
			want: `
        # HELP authentication_attempts [ALPHA] Counter of authenticated attempts.

# - Allow request with valid JWT token to access path /jwt1
# - Allow request with valid JWT token of presenter bar to access path with suffix "/presenter"
# - Allow request with valid JWT token of audiences foo to access path with suffix "/audiences"

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"

          notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"]
        - key: "request.auth.audiences"
          values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"]
          notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"]
        - key: "request.auth.presenter"
          values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"]

	ksa := parts[3]
	if !checkAudience(sa.Aud, j.audiences) {
		return nil, fmt.Errorf("invalid audiences %v", sa.Aud)
	}
	return &security.Caller{
		AuthSource: security.AuthSourceIDToken,
		Identities: []string{spiffe.MustGenSpiffeURI(j.meshHolder.Mesh(), ns, ksa)},
	}, nil
}

// checkAudience() returns true if the audiences to check are in
// the expected audiences. Otherwise, return false.