Add spaceDelimitedClaims field to RequestAuthentication API

[fjglira]

Related Issues
#56873

Following a change in Istio 1.21, JWT claims other than scope and permissions are treated as exact string values. This created an issue for users with custom, space-delimited claims (for example: a roles claim with the value "editor admin"), as they could no longer match individual values like editor or admin in their Authorization Policies.

This PR introduces a new field, spaceDelimitedClaims, to the RequestAuthentication API. This field allows users to explicitly specify a list of custom claims that Istio should parse as space-delimited strings. This restores the previous, more flexible behavior for users who depend on it, without changing the new default for other claims.

API Changes

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
spec:
  jwtRules:
  - issuer: "https://example.com"
    jwksUri: "https://example.com/.well-known/jwks.json"
    spaceDelimitedClaims:
    - "custom_scope"
    - "provider.login.scope"
    - "roles"

This change is fully backward compatible. The default behavior for the standard scope and permissions claims remains unchanged; they will always be treated as space-delimited lists, regardless of whether they are included in the new field.

[istio-policy-bot]

😊 Welcome @fjglira! This is either your first contribution to the Istio api repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.