From f4e15d8efc10b26aa5fef102e5cb7f8cf8b31216 Mon Sep 17 00:00:00 2001
From: longwuliang <longwuliang@didiglobal.com>
Date: Sat, 22 Apr 2023 17:39:09 +0800
Subject: [PATCH] support specify jwt requirement

---
 kubernetes/customresourcedefinitions.gen.yaml |  14 ++
 proto.lock                                    |  46 ++++++
 security/v1/jwt.pb.go                         | 132 ++++++++++++++---
 security/v1/jwt.pb.html                       |  55 ++++++-
 security/v1/jwt.proto                         |  25 ++++
 security/v1beta1/jwt.gen.json                 |  12 ++
 security/v1beta1/jwt.pb.go                    | 134 ++++++++++++++----
 security/v1beta1/jwt.pb.html                  |  55 ++++++-
 security/v1beta1/jwt.proto                    |  25 ++++
 .../v1beta1/request_authentication.gen.json   |  12 ++
 10 files changed, 461 insertions(+), 49 deletions(-)

diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
index 7c2948565d2..76a7541c2be 100644
--- a/kubernetes/customresourcedefinitions.gen.yaml
+++ b/kubernetes/customresourcedefinitions.gen.yaml
@@ -6821,6 +6821,13 @@ spec:
                       type: array
                     outputPayloadToHeader:
                       type: string
+                    requirement:
+                      description: This field specifies a Jwt requirement.
+                      enum:
+                      - ALLOW_MISSING
+                      - ALLOW_MISSING_OR_FAILED
+                      - ALLOW_VALID
+                      type: string
                   type: object
                 type: array
               selector:
@@ -6905,6 +6912,13 @@ spec:
                       type: array
                     outputPayloadToHeader:
                       type: string
+                    requirement:
+                      description: This field specifies a Jwt requirement.
+                      enum:
+                      - ALLOW_MISSING
+                      - ALLOW_MISSING_OR_FAILED
+                      - ALLOW_VALID
+                      type: string
                   type: object
                 type: array
               selector:
diff --git a/proto.lock b/proto.lock
index 6e07cbcf0da..21a7923eb2b 100644
--- a/proto.lock
+++ b/proto.lock
@@ -44233,6 +44233,24 @@
     {
       "protopath": "security:/:v1:/:jwt.proto",
       "def": {
+        "enums": [
+          {
+            "name": "JWTRule.Requirement",
+            "enum_fields": [
+              {
+                "name": "ALLOW_MISSING"
+              },
+              {
+                "name": "ALLOW_MISSING_OR_FAILED",
+                "integer": 1
+              },
+              {
+                "name": "ALLOW_VALID",
+                "integer": 2
+              }
+            ]
+          }
+        ],
         "messages": [
           {
             "name": "JWTRule",
@@ -44291,6 +44309,11 @@
                 "name": "output_claim_to_headers",
                 "type": "ClaimToHeader",
                 "is_repeated": true
+              },
+              {
+                "id": 12,
+                "name": "requirement",
+                "type": "Requirement"
               }
             ]
           },
@@ -44729,6 +44752,24 @@
     {
       "protopath": "security:/:v1beta1:/:jwt.proto",
       "def": {
+        "enums": [
+          {
+            "name": "JWTRule.Requirement",
+            "enum_fields": [
+              {
+                "name": "ALLOW_MISSING"
+              },
+              {
+                "name": "ALLOW_MISSING_OR_FAILED",
+                "integer": 1
+              },
+              {
+                "name": "ALLOW_VALID",
+                "integer": 2
+              }
+            ]
+          }
+        ],
         "messages": [
           {
             "name": "JWTRule",
@@ -44787,6 +44828,11 @@
                 "name": "output_claim_to_headers",
                 "type": "ClaimToHeader",
                 "is_repeated": true
+              },
+              {
+                "id": 12,
+                "name": "requirement",
+                "type": "Requirement"
               }
             ]
           },
diff --git a/security/v1/jwt.pb.go b/security/v1/jwt.pb.go
index a31f63d545b..cdb1fe947ec 100644
--- a/security/v1/jwt.pb.go
+++ b/security/v1/jwt.pb.go
@@ -41,6 +41,60 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 
+// Requirement specifies a Jwt requirement.
+type JWTRule_Requirement int32
+
+const (
+	// The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid.
+	// This is the default behavior.
+	JWTRule_ALLOW_MISSING JWTRule_Requirement = 0
+	// The requirement is always satisfied even if JWT is missing or the JWT verification fails.
+	JWTRule_ALLOW_MISSING_OR_FAILED JWTRule_Requirement = 1
+	// The requirement is satisfied only if JWT is presented and verification successful.
+	JWTRule_ALLOW_VALID JWTRule_Requirement = 2
+)
+
+// Enum value maps for JWTRule_Requirement.
+var (
+	JWTRule_Requirement_name = map[int32]string{
+		0: "ALLOW_MISSING",
+		1: "ALLOW_MISSING_OR_FAILED",
+		2: "ALLOW_VALID",
+	}
+	JWTRule_Requirement_value = map[string]int32{
+		"ALLOW_MISSING":           0,
+		"ALLOW_MISSING_OR_FAILED": 1,
+		"ALLOW_VALID":             2,
+	}
+)
+
+func (x JWTRule_Requirement) Enum() *JWTRule_Requirement {
+	p := new(JWTRule_Requirement)
+	*p = x
+	return p
+}
+
+func (x JWTRule_Requirement) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (JWTRule_Requirement) Descriptor() protoreflect.EnumDescriptor {
+	return file_security_v1_jwt_proto_enumTypes[0].Descriptor()
+}
+
+func (JWTRule_Requirement) Type() protoreflect.EnumType {
+	return &file_security_v1_jwt_proto_enumTypes[0]
+}
+
+func (x JWTRule_Requirement) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use JWTRule_Requirement.Descriptor instead.
+func (JWTRule_Requirement) EnumDescriptor() ([]byte, []int) {
+	return file_security_v1_jwt_proto_rawDescGZIP(), []int{0, 0}
+}
+
 // <!-- istio code generation tags
 // +istio.io/sync-from:security/v1beta1/jwt.proto
 // -->
@@ -73,6 +127,15 @@ const (
 // fromHeaders:
 // - "x-goog-iap-jwt-assertion"
 // ```
+//
+// The following example specifies that the JWT must be presented and verification successful.
+//
+// ```yaml
+//   - issuer: issuer-foo
+//     jwksUri: https://example.com/.well-known/jwks.json
+//     requirement: ALLOW_VALID
+//
+// ```
 type JWTRule struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -168,6 +231,8 @@ type JWTRule struct {
 	// ```
 	// [Experimental] This feature is a experimental feature.
 	OutputClaimToHeaders []*ClaimToHeader `protobuf:"bytes,11,rep,name=output_claim_to_headers,json=outputClaimToHeaders,proto3" json:"output_claim_to_headers,omitempty"` // [TODO:Update the status whenever this feature is promoted.]
+	// This field specifies a Jwt requirement. This is optional, the default value is `ALLOW_MISSING`.
+	Requirement JWTRule_Requirement `protobuf:"varint,12,opt,name=requirement,proto3,enum=istio.security.v1.JWTRule_Requirement" json:"requirement,omitempty"`
 }
 
 func (x *JWTRule) Reset() {
@@ -265,6 +330,13 @@ func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader {
 	return nil
 }
 
+func (x *JWTRule) GetRequirement() JWTRule_Requirement {
+	if x != nil {
+		return x.Requirement
+	}
+	return JWTRule_ALLOW_MISSING
+}
+
 // This message specifies a header location to extract JWT token.
 type JWTHeader struct {
 	state         protoimpl.MessageState
@@ -391,7 +463,7 @@ var file_security_v1_jwt_proto_rawDesc = []byte{
 	0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73,
 	0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67,
 	0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68,
-	0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9d, 0x03, 0x0a, 0x07,
+	0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb7, 0x04, 0x0a, 0x07,
 	0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65,
 	0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73,
 	0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65,
@@ -417,17 +489,27 @@ var file_security_v1_jwt_proto_rawDesc = []byte{
 	0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75,
 	0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48,
 	0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x14, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x43, 0x6c, 0x61,
-	0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x22, 0x3c, 0x0a, 0x09, 0x4a,
-	0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d,
-	0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61,
-	0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65,
-	0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64,
-	0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1a, 0x5a, 0x18, 0x69, 0x73, 0x74, 0x69,
-	0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
-	0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x48, 0x0a, 0x0b, 0x72,
+	0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+	0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x2e, 0x52, 0x65, 0x71,
+	0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x52, 0x0b, 0x72, 0x65, 0x71, 0x75, 0x69, 0x72,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x22, 0x4e, 0x0a, 0x0b, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x12, 0x11, 0x0a, 0x0d, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x4d, 0x49,
+	0x53, 0x53, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x1b, 0x0a, 0x17, 0x41, 0x4c, 0x4c, 0x4f, 0x57,
+	0x5f, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x52, 0x5f, 0x46, 0x41, 0x49, 0x4c,
+	0x45, 0x44, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x56, 0x41,
+	0x4c, 0x49, 0x44, 0x10, 0x02, 0x22, 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64,
+	0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70,
+	0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65,
+	0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65,
+	0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05,
+	0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61,
+	0x69, 0x6d, 0x42, 0x1a, 0x5a, 0x18, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61,
+	0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -442,20 +524,23 @@ func file_security_v1_jwt_proto_rawDescGZIP() []byte {
 	return file_security_v1_jwt_proto_rawDescData
 }
 
+var file_security_v1_jwt_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
 var file_security_v1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
 var file_security_v1_jwt_proto_goTypes = []interface{}{
-	(*JWTRule)(nil),       // 0: istio.security.v1.JWTRule
-	(*JWTHeader)(nil),     // 1: istio.security.v1.JWTHeader
-	(*ClaimToHeader)(nil), // 2: istio.security.v1.ClaimToHeader
+	(JWTRule_Requirement)(0), // 0: istio.security.v1.JWTRule.Requirement
+	(*JWTRule)(nil),          // 1: istio.security.v1.JWTRule
+	(*JWTHeader)(nil),        // 2: istio.security.v1.JWTHeader
+	(*ClaimToHeader)(nil),    // 3: istio.security.v1.ClaimToHeader
 }
 var file_security_v1_jwt_proto_depIdxs = []int32{
-	1, // 0: istio.security.v1.JWTRule.from_headers:type_name -> istio.security.v1.JWTHeader
-	2, // 1: istio.security.v1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1.ClaimToHeader
-	2, // [2:2] is the sub-list for method output_type
-	2, // [2:2] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension type_name
-	2, // [2:2] is the sub-list for extension extendee
-	0, // [0:2] is the sub-list for field type_name
+	2, // 0: istio.security.v1.JWTRule.from_headers:type_name -> istio.security.v1.JWTHeader
+	3, // 1: istio.security.v1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1.ClaimToHeader
+	0, // 2: istio.security.v1.JWTRule.requirement:type_name -> istio.security.v1.JWTRule.Requirement
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
 }
 
 func init() { file_security_v1_jwt_proto_init() }
@@ -506,13 +591,14 @@ func file_security_v1_jwt_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_security_v1_jwt_proto_rawDesc,
-			NumEnums:      0,
+			NumEnums:      1,
 			NumMessages:   3,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
 		GoTypes:           file_security_v1_jwt_proto_goTypes,
 		DependencyIndexes: file_security_v1_jwt_proto_depIdxs,
+		EnumInfos:         file_security_v1_jwt_proto_enumTypes,
 		MessageInfos:      file_security_v1_jwt_proto_msgTypes,
 	}.Build()
 	File_security_v1_jwt_proto = out.File
diff --git a/security/v1/jwt.pb.html b/security/v1/jwt.pb.html
index 16d4eb44ba4..e2ada1b91f9 100644
--- a/security/v1/jwt.pb.html
+++ b/security/v1/jwt.pb.html
@@ -6,7 +6,7 @@
 generator: protoc-gen-docs
 schema: istio.security.v1.JWTRule
 aliases: [/docs/reference/config/security/v1/jwt]
-number_of_entries: 3
+number_of_entries: 4
 ---
 <h2 id="JWTRule">JWTRule</h2>
 <section>
@@ -31,6 +31,11 @@ <h2 id="JWTRule">JWTRule</h2>
 fromHeaders:
 - &quot;x-goog-iap-jwt-assertion&quot;
 </code></pre>
+<p>The following example specifies that the JWT must be presented and verification successful.</p>
+<pre><code class="language-yaml">- issuer: issuer-foo
+  jwksUri: https://example.com/.well-known/jwks.json
+  requirement: ALLOW_VALID
+</code></pre>
 
 <table class="message-fields">
 <thead>
@@ -185,6 +190,17 @@ <h2 id="JWTRule">JWTRule</h2>
 </code></pre>
 <p>[Experimental] This feature is a experimental feature.</p>
 
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="JWTRule-requirement">
+<td><code>requirement</code></td>
+<td><code><a href="#JWTRule-Requirement">Requirement</a></code></td>
+<td>
+<p>This field specifies a Jwt requirement. This is optional, the default value is <code>ALLOW_MISSING</code>.</p>
+
 </td>
 <td>
 No
@@ -274,3 +290,40 @@ <h2 id="ClaimToHeader">ClaimToHeader</h2>
 </tbody>
 </table>
 </section>
+<h2 id="JWTRule-Requirement">JWTRule.Requirement</h2>
+<section>
+<p>Requirement specifies a Jwt requirement.</p>
+
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="JWTRule-Requirement-ALLOW_MISSING">
+<td><code>ALLOW_MISSING</code></td>
+<td>
+<p>The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid.
+This is the default behavior.</p>
+
+</td>
+</tr>
+<tr id="JWTRule-Requirement-ALLOW_MISSING_OR_FAILED">
+<td><code>ALLOW_MISSING_OR_FAILED</code></td>
+<td>
+<p>The requirement is always satisfied even if JWT is missing or the JWT verification fails.</p>
+
+</td>
+</tr>
+<tr id="JWTRule-Requirement-ALLOW_VALID">
+<td><code>ALLOW_VALID</code></td>
+<td>
+<p>The requirement is satisfied only if JWT is presented and verification successful.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
diff --git a/security/v1/jwt.proto b/security/v1/jwt.proto
index c75648620e4..ea4c66c0e61 100644
--- a/security/v1/jwt.proto
+++ b/security/v1/jwt.proto
@@ -56,6 +56,15 @@ option go_package="istio.io/api/security/v1";
 // fromHeaders:
 // - "x-goog-iap-jwt-assertion"
 // ```
+//
+// The following example specifies that the JWT must be presented and verification successful.
+//
+// ```yaml
+// - issuer: issuer-foo
+//   jwksUri: https://example.com/.well-known/jwks.json
+//   requirement: ALLOW_VALID
+// ```
+//
 message JWTRule {
   // Identifies the issuer that issued the JWT. See
   // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
@@ -162,6 +171,22 @@ message JWTRule {
   // ```
   // [Experimental] This feature is a experimental feature.
   repeated ClaimToHeader output_claim_to_headers = 11; // [TODO:Update the status whenever this feature is promoted.]
+
+  // Requirement specifies a Jwt requirement.
+  enum Requirement {
+    // The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid.
+    // This is the default behavior.
+    ALLOW_MISSING = 0;
+
+    // The requirement is always satisfied even if JWT is missing or the JWT verification fails.
+    ALLOW_MISSING_OR_FAILED = 1;
+
+    // The requirement is satisfied only if JWT is presented and verification successful.
+    ALLOW_VALID = 2;
+  }
+
+  // This field specifies a Jwt requirement. This is optional, the default value is `ALLOW_MISSING`.
+  Requirement requirement = 12;
 }
 
 // This message specifies a header location to extract JWT token.
diff --git a/security/v1beta1/jwt.gen.json b/security/v1beta1/jwt.gen.json
index 92cf1f8babe..799c35eb0dd 100644
--- a/security/v1beta1/jwt.gen.json
+++ b/security/v1beta1/jwt.gen.json
@@ -85,8 +85,20 @@
             "items": {
               "$ref": "#/components/schemas/istio.security.v1beta1.ClaimToHeader"
             }
+          },
+          "requirement": {
+            "$ref": "#/components/schemas/istio.security.v1beta1.JWTRule.Requirement"
           }
         }
+      },
+      "istio.security.v1beta1.JWTRule.Requirement": {
+        "description": "Requirement specifies a Jwt requirement.",
+        "type": "string",
+        "enum": [
+          "ALLOW_MISSING",
+          "ALLOW_MISSING_OR_FAILED",
+          "ALLOW_VALID"
+        ]
       }
     }
   }
diff --git a/security/v1beta1/jwt.pb.go b/security/v1beta1/jwt.pb.go
index 5c23ac4c2ef..84afa5092ac 100644
--- a/security/v1beta1/jwt.pb.go
+++ b/security/v1beta1/jwt.pb.go
@@ -41,6 +41,60 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 
+// Requirement specifies a Jwt requirement.
+type JWTRule_Requirement int32
+
+const (
+	// The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid.
+	// This is the default behavior.
+	JWTRule_ALLOW_MISSING JWTRule_Requirement = 0
+	// The requirement is always satisfied even if JWT is missing or the JWT verification fails.
+	JWTRule_ALLOW_MISSING_OR_FAILED JWTRule_Requirement = 1
+	// The requirement is satisfied only if JWT is presented and verification successful.
+	JWTRule_ALLOW_VALID JWTRule_Requirement = 2
+)
+
+// Enum value maps for JWTRule_Requirement.
+var (
+	JWTRule_Requirement_name = map[int32]string{
+		0: "ALLOW_MISSING",
+		1: "ALLOW_MISSING_OR_FAILED",
+		2: "ALLOW_VALID",
+	}
+	JWTRule_Requirement_value = map[string]int32{
+		"ALLOW_MISSING":           0,
+		"ALLOW_MISSING_OR_FAILED": 1,
+		"ALLOW_VALID":             2,
+	}
+)
+
+func (x JWTRule_Requirement) Enum() *JWTRule_Requirement {
+	p := new(JWTRule_Requirement)
+	*p = x
+	return p
+}
+
+func (x JWTRule_Requirement) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (JWTRule_Requirement) Descriptor() protoreflect.EnumDescriptor {
+	return file_security_v1beta1_jwt_proto_enumTypes[0].Descriptor()
+}
+
+func (JWTRule_Requirement) Type() protoreflect.EnumType {
+	return &file_security_v1beta1_jwt_proto_enumTypes[0]
+}
+
+func (x JWTRule_Requirement) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use JWTRule_Requirement.Descriptor instead.
+func (JWTRule_Requirement) EnumDescriptor() ([]byte, []int) {
+	return file_security_v1beta1_jwt_proto_rawDescGZIP(), []int{0, 0}
+}
+
 // <!-- istio code generation tags
 // +istio.io/sync-start
 // -->
@@ -73,6 +127,15 @@ const (
 // fromHeaders:
 // - "x-goog-iap-jwt-assertion"
 // ```
+//
+// The following example specifies that the JWT must be presented and verification successful.
+//
+// ```yaml
+//   - issuer: issuer-foo
+//     jwksUri: https://example.com/.well-known/jwks.json
+//     requirement: ALLOW_VALID
+//
+// ```
 type JWTRule struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -168,6 +231,8 @@ type JWTRule struct {
 	// ```
 	// [Experimental] This feature is a experimental feature.
 	OutputClaimToHeaders []*ClaimToHeader `protobuf:"bytes,11,rep,name=output_claim_to_headers,json=outputClaimToHeaders,proto3" json:"output_claim_to_headers,omitempty"` // [TODO:Update the status whenever this feature is promoted.]
+	// This field specifies a Jwt requirement. This is optional, the default value is `ALLOW_MISSING`.
+	Requirement JWTRule_Requirement `protobuf:"varint,12,opt,name=requirement,proto3,enum=istio.security.v1beta1.JWTRule_Requirement" json:"requirement,omitempty"`
 }
 
 func (x *JWTRule) Reset() {
@@ -265,6 +330,13 @@ func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader {
 	return nil
 }
 
+func (x *JWTRule) GetRequirement() JWTRule_Requirement {
+	if x != nil {
+		return x.Requirement
+	}
+	return JWTRule_ALLOW_MISSING
+}
+
 // This message specifies a header location to extract JWT token.
 type JWTHeader struct {
 	state         protoimpl.MessageState
@@ -392,7 +464,7 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{
 	0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62,
 	0x65, 0x74, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69,
 	0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa7, 0x03, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc6, 0x04, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c,
 	0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c,
 	0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
@@ -418,18 +490,28 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{
 	0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72,
 	0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69,
 	0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x14, 0x6f, 0x75, 0x74, 0x70, 0x75,
-	0x74, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x22,
-	0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04,
-	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52,
-	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a,
-	0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16,
-	0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
-	0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1f, 0x5a, 0x1d,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63,
-	0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x74, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12,
+	0x4d, 0x0a, 0x0b, 0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x0c,
+	0x20, 0x01, 0x28, 0x0e, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63,
+	0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4a, 0x57,
+	0x54, 0x52, 0x75, 0x6c, 0x65, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x52, 0x0b, 0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x22, 0x4e,
+	0x0a, 0x0b, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x11, 0x0a,
+	0x0d, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x4e, 0x47, 0x10, 0x00,
+	0x12, 0x1b, 0x0a, 0x17, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x4e,
+	0x47, 0x5f, 0x4f, 0x52, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x01, 0x12, 0x0f, 0x0a,
+	0x0b, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x56, 0x41, 0x4c, 0x49, 0x44, 0x10, 0x02, 0x22, 0x3c,
+	0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e,
+	0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04,
+	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d,
+	0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a,
+	0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68,
+	0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1f, 0x5a, 0x1d, 0x69,
+	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75,
+	0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -444,20 +526,23 @@ func file_security_v1beta1_jwt_proto_rawDescGZIP() []byte {
 	return file_security_v1beta1_jwt_proto_rawDescData
 }
 
+var file_security_v1beta1_jwt_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
 var file_security_v1beta1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
 var file_security_v1beta1_jwt_proto_goTypes = []interface{}{
-	(*JWTRule)(nil),       // 0: istio.security.v1beta1.JWTRule
-	(*JWTHeader)(nil),     // 1: istio.security.v1beta1.JWTHeader
-	(*ClaimToHeader)(nil), // 2: istio.security.v1beta1.ClaimToHeader
+	(JWTRule_Requirement)(0), // 0: istio.security.v1beta1.JWTRule.Requirement
+	(*JWTRule)(nil),          // 1: istio.security.v1beta1.JWTRule
+	(*JWTHeader)(nil),        // 2: istio.security.v1beta1.JWTHeader
+	(*ClaimToHeader)(nil),    // 3: istio.security.v1beta1.ClaimToHeader
 }
 var file_security_v1beta1_jwt_proto_depIdxs = []int32{
-	1, // 0: istio.security.v1beta1.JWTRule.from_headers:type_name -> istio.security.v1beta1.JWTHeader
-	2, // 1: istio.security.v1beta1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1beta1.ClaimToHeader
-	2, // [2:2] is the sub-list for method output_type
-	2, // [2:2] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension type_name
-	2, // [2:2] is the sub-list for extension extendee
-	0, // [0:2] is the sub-list for field type_name
+	2, // 0: istio.security.v1beta1.JWTRule.from_headers:type_name -> istio.security.v1beta1.JWTHeader
+	3, // 1: istio.security.v1beta1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1beta1.ClaimToHeader
+	0, // 2: istio.security.v1beta1.JWTRule.requirement:type_name -> istio.security.v1beta1.JWTRule.Requirement
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
 }
 
 func init() { file_security_v1beta1_jwt_proto_init() }
@@ -508,13 +593,14 @@ func file_security_v1beta1_jwt_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_security_v1beta1_jwt_proto_rawDesc,
-			NumEnums:      0,
+			NumEnums:      1,
 			NumMessages:   3,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
 		GoTypes:           file_security_v1beta1_jwt_proto_goTypes,
 		DependencyIndexes: file_security_v1beta1_jwt_proto_depIdxs,
+		EnumInfos:         file_security_v1beta1_jwt_proto_enumTypes,
 		MessageInfos:      file_security_v1beta1_jwt_proto_msgTypes,
 	}.Build()
 	File_security_v1beta1_jwt_proto = out.File
diff --git a/security/v1beta1/jwt.pb.html b/security/v1beta1/jwt.pb.html
index 2e9b6c8d24d..fc1f532a6e4 100644
--- a/security/v1beta1/jwt.pb.html
+++ b/security/v1beta1/jwt.pb.html
@@ -6,7 +6,7 @@
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.JWTRule
 aliases: [/docs/reference/config/security/v1beta1/jwt]
-number_of_entries: 3
+number_of_entries: 4
 ---
 <h2 id="JWTRule">JWTRule</h2>
 <section>
@@ -31,6 +31,11 @@ <h2 id="JWTRule">JWTRule</h2>
 fromHeaders:
 - &quot;x-goog-iap-jwt-assertion&quot;
 </code></pre>
+<p>The following example specifies that the JWT must be presented and verification successful.</p>
+<pre><code class="language-yaml">- issuer: issuer-foo
+  jwksUri: https://example.com/.well-known/jwks.json
+  requirement: ALLOW_VALID
+</code></pre>
 
 <table class="message-fields">
 <thead>
@@ -185,6 +190,17 @@ <h2 id="JWTRule">JWTRule</h2>
 </code></pre>
 <p>[Experimental] This feature is a experimental feature.</p>
 
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="JWTRule-requirement">
+<td><code>requirement</code></td>
+<td><code><a href="#JWTRule-Requirement">Requirement</a></code></td>
+<td>
+<p>This field specifies a Jwt requirement. This is optional, the default value is <code>ALLOW_MISSING</code>.</p>
+
 </td>
 <td>
 No
@@ -274,3 +290,40 @@ <h2 id="ClaimToHeader">ClaimToHeader</h2>
 </tbody>
 </table>
 </section>
+<h2 id="JWTRule-Requirement">JWTRule.Requirement</h2>
+<section>
+<p>Requirement specifies a Jwt requirement.</p>
+
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="JWTRule-Requirement-ALLOW_MISSING">
+<td><code>ALLOW_MISSING</code></td>
+<td>
+<p>The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid.
+This is the default behavior.</p>
+
+</td>
+</tr>
+<tr id="JWTRule-Requirement-ALLOW_MISSING_OR_FAILED">
+<td><code>ALLOW_MISSING_OR_FAILED</code></td>
+<td>
+<p>The requirement is always satisfied even if JWT is missing or the JWT verification fails.</p>
+
+</td>
+</tr>
+<tr id="JWTRule-Requirement-ALLOW_VALID">
+<td><code>ALLOW_VALID</code></td>
+<td>
+<p>The requirement is satisfied only if JWT is presented and verification successful.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
diff --git a/security/v1beta1/jwt.proto b/security/v1beta1/jwt.proto
index fbd8d5a7990..a9feee60feb 100644
--- a/security/v1beta1/jwt.proto
+++ b/security/v1beta1/jwt.proto
@@ -56,6 +56,15 @@ option go_package="istio.io/api/security/v1beta1";
 // fromHeaders:
 // - "x-goog-iap-jwt-assertion"
 // ```
+//
+// The following example specifies that the JWT must be presented and verification successful.
+//
+// ```yaml
+// - issuer: issuer-foo
+//   jwksUri: https://example.com/.well-known/jwks.json
+//   requirement: ALLOW_VALID
+// ```
+//
 message JWTRule {
   // Identifies the issuer that issued the JWT. See
   // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
@@ -162,6 +171,22 @@ message JWTRule {
   // ```
   // [Experimental] This feature is a experimental feature.
   repeated ClaimToHeader output_claim_to_headers = 11; // [TODO:Update the status whenever this feature is promoted.]
+
+  // Requirement specifies a Jwt requirement.
+  enum Requirement {
+    // The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid.
+    // This is the default behavior.
+    ALLOW_MISSING = 0;
+
+    // The requirement is always satisfied even if JWT is missing or the JWT verification fails.
+    ALLOW_MISSING_OR_FAILED = 1;
+
+    // The requirement is satisfied only if JWT is presented and verification successful.
+    ALLOW_VALID = 2;
+  }
+
+  // This field specifies a Jwt requirement. This is optional, the default value is `ALLOW_MISSING`.
+  Requirement requirement = 12;
 }
 
 // This message specifies a header location to extract JWT token.
diff --git a/security/v1beta1/request_authentication.gen.json b/security/v1beta1/request_authentication.gen.json
index 399d9e954aa..04b2fb658eb 100644
--- a/security/v1beta1/request_authentication.gen.json
+++ b/security/v1beta1/request_authentication.gen.json
@@ -85,9 +85,21 @@
             "items": {
               "$ref": "#/components/schemas/istio.security.v1beta1.ClaimToHeader"
             }
+          },
+          "requirement": {
+            "$ref": "#/components/schemas/istio.security.v1beta1.JWTRule.Requirement"
           }
         }
       },
+      "istio.security.v1beta1.JWTRule.Requirement": {
+        "description": "Requirement specifies a Jwt requirement.",
+        "type": "string",
+        "enum": [
+          "ALLOW_MISSING",
+          "ALLOW_MISSING_OR_FAILED",
+          "ALLOW_VALID"
+        ]
+      },
       "istio.security.v1beta1.RequestAuthentication": {
         "description": "RequestAuthentication defines what request authentication methods are supported by a workload. It will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples: - Require JWT for all request for workloads that have label `app:httpbin`",
         "type": "object",