In my development environments I have multiple gateways setup with the same JWKS but the issuer is different. I noticed that JWT were able to authenticate with all the environments even though issuer was different.
Is this expected? I assumed that Istio would validate that the issuer in the token matched the issuer setup in the policy but that does not seem to be the case. It just uses the key.