"username": "jane",
				"exp": %d
			}`, valid.Unix()),
			wantErr: `oidc: verify token: oidc: expected audience "my-client" got ["not-my-client"]`,
		},
		{
			// ID tokens may contain multiple audiences:
			// https://openid.net/specs/openid-connect-core-1_0.html#IDToken
			name: "multiple-audiences",
			options: Options{
				JWTAuthenticator: apiserver.JWTAuthenticator{
					Issuer: apiserver.Issuer{

      notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"]
  - when:
    - key: "request.auth.audiences"
      values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"]
      notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"]
  - when:
    - key: "request.auth.presenter"
      values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"]

	// We take implicit audiences of the API server at WebhookTokenAuthenticator
	// construction time. The outline of how we validate audience here is:
	//
	// * if the ctx is not audience limited, don't do any audience validation.
	// * if ctx is audience-limited, add the audiences to the tokenreview spec
	//   * if the tokenreview returns with audiences in the status that intersect

  optional UserInfo user = 2;

  // Audiences are audience identifiers chosen by the authenticator that are
  // compatible with both the TokenReview and token. An identifier is any
  // identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier

  // identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier
  // is returned in the status.audiences field to ensure that the TokenReview
  // server is audience aware. If a TokenReview returns an empty
  // status.audience field where status.authenticated is "true", the token is

		{
			auds:     Audiences{"foo"},
			tauds:    Audiences{"foo"},
			expected: Audiences{"foo"},
		},
		{
			auds:     Audiences{"foo", "bar"},
			tauds:    Audiences{"foo", "bar"},
			expected: Audiences{"foo", "bar"},
		},
		{
			auds:     Audiences{"foo", "bar"},
			tauds:    Audiences{"foo", "wat"},
			expected: Audiences{"foo"},
		},
		{
			auds:     Audiences{"foo", "bar"},
			tauds:    Audiences{"pls", "wat"},

  // identifier in the intersection of the TokenReviewSpec audiences and the
  // token's audiences. A client of the TokenReview API that sets the
  // spec.audiences field should validate that a compatible audience identifier
  // is returned in the status.audiences field to ensure that the TokenReview
  // server is audience aware. If a TokenReview returns an empty
  // status.audience field where status.authenticated is "true", the token is

		},
		{
			description:  "bad audiences",
			implicitAuds: apiAuds,
			reqAuds:      authenticator.Audiences{"other"},
			serverResponse: authenticationv1beta1.TokenReviewStatus{
				Authenticated: false,
			},
			expectedAuthenticated: false,
		},
		{
			description:  "bad audiences",
			implicitAuds: apiAuds,
			reqAuds:      authenticator.Audiences{"other"},

func (v *idTokenVerifier) verifyAudience(t *oidc.IDToken) error {
	// We validate audience field is not empty in the authentication configuration.
	// This check ensures callers of "Verify" using idTokenVerifier are not passing
	// an empty audience.
	if v.audiences.Len() == 0 {
		return fmt.Errorf("oidc: invalid configuration, audiences cannot be empty")
	}

        authentication_attempts{result="failure"} 1
				`,
		},
		{
			desc: "auth failed due to audiences not intersecting",
			response: &authenticator.Response{
				User:      &user.DefaultInfo{Name: "admin"},
				Audiences: authenticator.Audiences{"audience-x"},
			},
			status:      true,
			apiAudience: authenticator.Audiences{"audience-y"},
			want: `
        # HELP authentication_attempts [ALPHA] Counter of authenticated attempts.