}
	// Use bearer token
	aud := tokenAudiences
	isMCP := strings.HasSuffix(opts.Xds, ".googleapis.com") || strings.HasSuffix(opts.Xds, ".googleapis.com:443")
	if isMCP {
		// Special credentials handling when using ASM Managed Control Plane.
		mem, err := getHubMembership(ctx, kubeClient)
		if err != nil {
			return nil, fmt.Errorf("failed to query Hub membership: %w", err)
		}
		aud = []string{mem.WorkloadIdentityPool}
	}

		manager, err := NewManager(ctx, ManagerOptions{
			Dialer: dialer.DialContext,
			Local:  host,
			Hosts:  hosts,
			AuthRequest: func(r *http.Request) error {
				return nil
			},
			AddAuth:      func(aud string) string { return aud },
			BlockConnect: ready,
		})
		if err != nil {
			return nil, err
		}
		m := mux.NewRouter()
		m.Handle(RoutePath, manager.Handler())
		res.Managers = append(res.Managers, manager)

    # Istiod is the default
    pilotCertProvider: istiod
    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca
    sts:
      # The service port used by Security Token Service (STS) server to handle token exchange requests.

		fn := authenticateNode
		b.ResetTimer()
		b.ReportAllocs()
		for i := 0; i < b.N; i++ {
			fn(creds.AccessKey, creds.SecretKey, "aud")
		}
	})
	b.Run("cached", func(b *testing.B) {
		fn := newCachedAuthToken()
		b.ResetTimer()
		b.ReportAllocs()
		for i := 0; i < b.N; i++ {
			fn("aud")
		}
	})

                    case "email_verified":
                        attributes.put("email_verified", jsonParser.getText());
                        break;
                    case "aud":
                        attributes.put("aud", jsonParser.getText());
                        break;
                    case "iat":
                        attributes.put("iat", jsonParser.getText());
                        break;

    # Istiod is the default
    pilotCertProvider: istiod

    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca

    sts:

    # Istiod is the default
    pilotCertProvider: istiod

    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca

    sts:

		if debugPrint {
			fmt.Printf("handler: Got Connect Req %+v\n", cReq)
		}
		writeErr(remote.handleIncoming(ctx, conn, cReq))
	}
}

// AuthFn should provide an authentication string for the given aud.
type AuthFn func(aud string) string

// Connection will return the connection for the specified host.
// If the host does not exist nil will be returned.
func (m *Manager) Connection(host string) *Connection {

    # Istiod is the default
    pilotCertProvider: istiod

    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca

    sts:

  - name: istio-token
    projected:
      sources:
      - serviceAccountToken:
          path: istio-token
          expirationSeconds: 43200
          audience: {{ .Values.global.sds.token.aud }}
  {{- if eq .Values.global.pilotCertProvider "istiod" }}
  - name: istiod-ca-cert
    configMap:
      name: istio-ca-root-cert
  {{- end }}
  {{- if .Values.global.mountMtlsCerts }}