How to validate token header by path RequestAuthentication

I have an AuthenticationPolicy implemented like this:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.10/security/tools/jwt/samples/jwks.json"

By using AuthorizationPolicy I have some paths that require a valid token and some that don’t. The problem is that in some paths that don’t require a valid token the client is sending a request with a Authorization header with non-JWT token (the end application will handle this token), but in this case the RequestAuthentication is returning an 401 on because this non-JWT token is an invalid JWT.

I would like to know if there is a way how to bypass this token validation, at least in some paths.

That’s an interesting use case, the problem is the RequestAuthentication cannot distinguish the two tokens so it has to reject the “invalid” one otherwise it could be a security bypass.

For the non-JWT token, is it possible to put it in a different header or use a different prefix than the “Bearer”?

That is the solution that we choose. We used a different header, but it still look like a limitation for me.