kubernetes-sigs
diff --git a/‎docs/guide/ingress/annotations.md‎
Lines changed: 14 additions & 0 deletions b/‎docs/guide/ingress/annotations.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 5 additions & 5 deletions b/‎go.mod‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎go.sum‎
Lines changed: 10 additions & 10 deletions b/‎go.sum‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎pkg/annotations/constants.go‎
Lines changed: 1 addition & 0 deletions b/‎pkg/annotations/constants.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/deploy/elbv2/listener_utils.go‎
Lines changed: 22 additions & 1 deletion b/‎pkg/deploy/elbv2/listener_utils.go‎
Lines changed: 22 additions & 1 deletion
diff --git a/‎pkg/deploy/elbv2/listener_utils_test.go‎
Lines changed: 83 additions & 1 deletion b/‎pkg/deploy/elbv2/listener_utils_test.go‎
Lines changed: 83 additions & 1 deletion
diff --git a/‎pkg/equality/elbv2/compare_option_for_actions.go‎
Lines changed: 2 additions & 0 deletions b/‎pkg/equality/elbv2/compare_option_for_actions.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/ingress/config_types.go‎
Lines changed: 30 additions & 0 deletions b/‎pkg/ingress/config_types.go‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎pkg/ingress/enhanced_backend_builder.go‎
Lines changed: 51 additions & 8 deletions b/‎pkg/ingress/enhanced_backend_builder.go‎
Lines changed: 51 additions & 8 deletions
@@ -61,6 +61,7 @@ You can add annotations to kubernetes Ingress and Service objects to customize t
 | [alb.ingress.kubernetes.io/auth-scope](#auth-scope)                                                   | string                                             |openid| Ingress,Service | N/A           |
 | [alb.ingress.kubernetes.io/auth-session-cookie](#auth-session-cookie)                                 | string                                             |AWSELBAuthSessionCookie| Ingress,Service | N/A           |
 | [alb.ingress.kubernetes.io/auth-session-timeout](#auth-session-timeout)                               | integer                                            |'604800'| Ingress,Service | N/A           |
+| [alb.ingress.kubernetes.io/jwt-validation](#jwt-validation)                               | json                                            |N/A| Ingress | N/A           |
 | [alb.ingress.kubernetes.io/actions.${action-name}](#actions)                                          | json                                               |N/A| Ingress         | N/A           |
 | [alb.ingress.kubernetes.io/transforms.${transforms-name}](#transforms)                                | json                                               |N/A| Ingress         | N/A           |
 | [alb.ingress.kubernetes.io/conditions.${conditions-name}](#conditions)                                | json                                               |N/A| Ingress         | N/A           |
@@ -847,6 +848,19 @@ ALB supports authentication with Cognito or OIDC. See [Authenticate Users Using
         alb.ingress.kubernetes.io/auth-session-timeout: '86400'
         ```
 
+## Token Validation
+ALB supports validating JSON Web Tokens (JWTs) for secure service-to-service communication. The `exp` and `iss` claims are always validated by default. If present, the `nbf` and `iat` claims will also be automatically validated. JWT validation can be controlled with the following annotation:
+
+!!!warning "HTTPS only"
+    JWT validation is only supported for HTTPS listeners. See [TLS](#tls) for configuring HTTPS listeners.
+
+- <a name="jwt-validation">`alb.ingress.kubernetes.io/jwt-validation`</a> specifies the configuration for JWT validation. This includes the JSON Web Key Set (JWKS) endpoint and issuer, along with any additional claims to validate. For each additional claim added, the name of the claim, the format of the values in the JWT, and the values of the claim should all be specified.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/jwt-validation: '{"jwksEndpoint":"https://example-endpoint.com","issuer":"https://example-issuer.com","additionalClaims":[{"name":"admin","format":"single-string","values":["true"]},{"name":"ver","format":"string-array","values":["6","19"]},{"name":"scope","format":"space-separated-values","values":["read:api","write","email"]}]}'
+        ```
+
 ## Health Check
 Health check on target groups can be controlled with following annotations:
 
 
@@ -3,21 +3,21 @@ module sigs.k8s.io/aws-load-balancer-controller
 go 1.24.9
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.39.2
+	github.com/aws/aws-sdk-go-v2 v1.39.6
 	github.com/aws/aws-sdk-go-v2/config v1.27.27
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.27
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11
 	github.com/aws/aws-sdk-go-v2/service/acm v1.28.4
 	github.com/aws/aws-sdk-go-v2/service/appmesh v1.27.7
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.173.0
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.51.0
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.52.0
 	github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.23.3
 	github.com/aws/aws-sdk-go-v2/service/servicediscovery v1.31.7
 	github.com/aws/aws-sdk-go-v2/service/shield v1.27.3
 	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3
 	github.com/aws/aws-sdk-go-v2/service/wafregional v1.23.3
 	github.com/aws/aws-sdk-go-v2/service/wafv2 v1.51.4
-	github.com/aws/smithy-go v1.23.0
+	github.com/aws/smithy-go v1.23.2
 	github.com/evanphx/json-patch v5.9.11+incompatible
 	github.com/gavv/httpexpect/v2 v2.9.0
 	github.com/go-logr/logr v1.4.3
@@ -60,8 +60,8 @@ require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
 
@@ -29,18 +29,18 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go-v2 v1.39.2 h1:EJLg8IdbzgeD7xgvZ+I8M1e0fL0ptn/M47lianzth0I=
-github.com/aws/aws-sdk-go-v2 v1.39.2/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
+github.com/aws/aws-sdk-go-v2 v1.39.6 h1:2JrPCVgWJm7bm83BDwY5z8ietmeJUbh3O2ACnn+Xsqk=
+github.com/aws/aws-sdk-go-v2 v1.39.6/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
 github.com/aws/aws-sdk-go-v2/config v1.27.27 h1:HdqgGt1OAP0HkEDDShEl0oSYa9ZZBSOmKpdpsDMdO90=
 github.com/aws/aws-sdk-go-v2/config v1.27.27/go.mod h1:MVYamCg76dFNINkZFu4n4RjDixhVr51HLj4ErWzrVwg=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.27 h1:2raNba6gr2IfA0eqqiP2XiQ0UVOpGPgDSi0I9iAP+UI=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.27/go.mod h1:gniiwbGahQByxan6YjQUMcW4Aov6bLC3m+evgcoN4r4=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 h1:KreluoV8FZDEtI6Co2xuNk/UqI9iwMrOx/87PBNIKqw=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11/go.mod h1:SeSUYBLsMYFoRvHE0Tjvn7kbxaUhl75CJi1sbfhMxkU=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 h1:se2vOWGD3dWQUtfn4wEjRQJb1HK1XsNIt825gskZ970=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9/go.mod h1:hijCGH2VfbZQxqCDN7bwz/4dzxV+hkyhjawAtdPWKZA=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 h1:6RBnKZLkJM4hQ+kN6E7yWFveOTg8NLPHAkqrs4ZPlTU=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9/go.mod h1:V9rQKRmK7AWuEsOMnHzKj8WyrIir1yUJbZxDuZLFvXI=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 h1:a+8/MLcWlIxo1lF9xaGt3J/u3yOZx+CdSveSNwjhD40=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13/go.mod h1:oGnKwIYZ4XttyU2JWxFrwvhF6YKiK/9/wmE3v3Iu9K8=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 h1:HBSI2kDkMdWz4ZM7FjwE7e/pWDEZ+nR95x8Ztet1ooY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13/go.mod h1:YE94ZoDArI7awZqJzBAZ3PDD2zSfuP7w6P2knOzIn8M=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
 github.com/aws/aws-sdk-go-v2/service/acm v1.28.4 h1:wiW1Y6/1lysA0eJZRq0I53YYKuV9MNAzL15z2eZRlEE=
@@ -49,8 +49,8 @@ github.com/aws/aws-sdk-go-v2/service/appmesh v1.27.7 h1:q44a6kysAfej9zZwRnraOg9s
 github.com/aws/aws-sdk-go-v2/service/appmesh v1.27.7/go.mod h1:ZYSmrgAMp0rTCHH+SGsoxZo+PPbgsDqBzewTp3tSJ60=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.173.0 h1:ta62lid9JkIpKZtZZXSj6rP2AqY5x1qYGq53ffxqD9Q=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.173.0/go.mod h1:o6QDjdVKpP5EF0dp/VlvqckzuSDATr1rLdHt3A5m0YY=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.51.0 h1:Zy1yjx+R6cR4pAwzFFJ8nWJh4ri8I44H76PDJ77tcJo=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.51.0/go.mod h1:RuZwE3p8IrWqK1kZhwH2TymlHLPuiI/taBMb8vrD39Q=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.52.0 h1:ZEXlVNHNM5R4BCrK79Y/cXEEmkGFDhBBKz4YlEfgNRk=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.52.0/go.mod h1:Uyo8wjqYyZaHVqoe+APHe4+THRGv4pctJzItYYnRe5Q=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 h1:HGErhhrxZlQ044RiM+WdoZxp0p+EGM62y3L6pwA4olE=
@@ -71,8 +71,8 @@ github.com/aws/aws-sdk-go-v2/service/wafregional v1.23.3 h1:7dr6En0/6KRFoz8VmnYk
 github.com/aws/aws-sdk-go-v2/service/wafregional v1.23.3/go.mod h1:24TtlRsv4LKAE3VnRJQhpatr8cpX0yj8NSzg8/lxOCw=
 github.com/aws/aws-sdk-go-v2/service/wafv2 v1.51.4 h1:1khBA5uryBRJoCb4G2iR5RT06BkfPEjjDCHAiRb8P3Q=
 github.com/aws/aws-sdk-go-v2/service/wafv2 v1.51.4/go.mod h1:QpFImaPGKNwa+MiZ+oo6LbV1PVQBapc0CnrAMRScoxM=
-github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE=
-github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
+github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 
@@ -52,6 +52,7 @@ const (
 	IngressSuffixAuthScope                                     = "auth-scope"
 	IngressSuffixAuthSessionCookie                             = "auth-session-cookie"
 	IngressSuffixAuthSessionTimeout                            = "auth-session-timeout"
+	IngressSuffixJwtValidation                                 = "jwt-validation"
 	IngressSuffixTargetNodeLabels                              = "target-node-labels"
 	IngressSuffixManageSecurityGroupRules                      = "manage-backend-security-group-rules"
 	IngressSuffixMutualAuthentication                          = "mutual-authentication"
 
@@ -2,13 +2,14 @@ package elbv2
 
 import (
 	"context"
+	"time"
+
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
 	"github.com/aws/smithy-go"
 	"github.com/pkg/errors"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
-	"time"
 )
 
 const (
@@ -55,6 +56,9 @@ func buildSDKAction(modelAction elbv2model.Action, featureGates config.FeatureGa
 	if modelAction.AuthenticateOIDCConfig != nil {
 		sdkObj.AuthenticateOidcConfig = buildSDKAuthenticateOidcActionConfig(*modelAction.AuthenticateOIDCConfig)
 	}
+	if modelAction.JwtValidationConfig != nil {
+		sdkObj.JwtValidationConfig = buildSDKJwtValidationConfig(*modelAction.JwtValidationConfig)
+	}
 	if modelAction.FixedResponseConfig != nil {
 		sdkObj.FixedResponseConfig = buildSDKFixedResponseActionConfig(*modelAction.FixedResponseConfig)
 	}
@@ -108,6 +112,23 @@ func buildSDKAuthenticateOidcActionConfig(modelCfg elbv2model.AuthenticateOIDCAc
 	}
 }
 
+func buildSDKJwtValidationConfig(modelCfg elbv2model.JwtValidationConfig) *elbv2types.JwtValidationActionConfig {
+	var additionalClaims []elbv2types.JwtValidationActionAdditionalClaim
+	for _, additionalClaim := range modelCfg.AdditionalClaims {
+		additionalClaims = append(additionalClaims, elbv2types.JwtValidationActionAdditionalClaim{
+			Format: elbv2types.JwtValidationActionAdditionalClaimFormatEnum(additionalClaim.Format),
+			Name:   awssdk.String(additionalClaim.Name),
+			Values: append([]string{}, additionalClaim.Values...),
+		})
+	}
+
+	return &elbv2types.JwtValidationActionConfig{
+		JwksEndpoint:     awssdk.String(modelCfg.JwksEndpoint),
+		Issuer:           awssdk.String(modelCfg.Issuer),
+		AdditionalClaims: additionalClaims,
+	}
+}
+
 func buildSDKFixedResponseActionConfig(modelCfg elbv2model.FixedResponseActionConfig) *elbv2types.FixedResponseActionConfig {
 	return &elbv2types.FixedResponseActionConfig{
 		ContentType: modelCfg.ContentType,
 
@@ -1,10 +1,14 @@
 package elbv2
 
 import (
+	"testing"
+
+	awssdk "github.com/aws/aws-sdk-go-v2/aws"
+	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
 	"github.com/aws/smithy-go"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
-	"testing"
+	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 )
 
 func Test_isListenerNotFoundError(t *testing.T) {
@@ -45,3 +49,81 @@ func Test_isListenerNotFoundError(t *testing.T) {
 		})
 	}
 }
+
+func Test_buildSDKJwtValidationConfig(t *testing.T) {
+	type args struct {
+		jwtValidationConfig elbv2model.JwtValidationConfig
+	}
+	tests := []struct {
+		name string
+		args args
+		want *elbv2types.JwtValidationActionConfig
+	}{
+		{
+			name: "jwt validation with no additional claims",
+			args: args{
+				jwtValidationConfig: elbv2model.JwtValidationConfig{
+					JwksEndpoint: "https://issuer.example.com/.well-known/jwks.json",
+					Issuer:       "https://issuer.com",
+				},
+			},
+			want: &elbv2types.JwtValidationActionConfig{
+				JwksEndpoint: awssdk.String("https://issuer.example.com/.well-known/jwks.json"),
+				Issuer:       awssdk.String("https://issuer.com"),
+			},
+		},
+		{
+			name: "jwt validation with additional claims",
+			args: args{
+				jwtValidationConfig: elbv2model.JwtValidationConfig{
+					JwksEndpoint: "https://issuer.example.com/.well-known/jwks.json",
+					Issuer:       "https://issuer.com",
+					AdditionalClaims: []elbv2model.JwtAdditionalClaim{
+						{
+							Format: "string-array",
+							Name:   "scope",
+							Values: []string{"read:api", "write:api"},
+						},
+						{
+							Format: "single-string",
+							Name:   "iat",
+							Values: []string{"12456"},
+						},
+						{
+							Format: "space-separated-values",
+							Name:   "aud",
+							Values: []string{"https://example.com", "https://another-site.com"},
+						},
+					},
+				},
+			},
+			want: &elbv2types.JwtValidationActionConfig{
+				JwksEndpoint: awssdk.String("https://issuer.example.com/.well-known/jwks.json"),
+				Issuer:       awssdk.String("https://issuer.com"),
+				AdditionalClaims: []elbv2types.JwtValidationActionAdditionalClaim{
+					{
+						Format: "string-array",
+						Name:   awssdk.String("scope"),
+						Values: []string{"read:api", "write:api"},
+					},
+					{
+						Format: "single-string",
+						Name:   awssdk.String("iat"),
+						Values: []string{"12456"},
+					},
+					{
+						Format: "space-separated-values",
+						Name:   awssdk.String("aud"),
+						Values: []string{"https://example.com", "https://another-site.com"},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t1 *testing.T) {
+			got := buildSDKJwtValidationConfig(tt.args.jwtValidationConfig)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
@@ -95,6 +95,8 @@ func CompareOptionForActions(_, _ []elbv2types.Action) cmp.Option {
 		cmpopts.EquateEmpty(),
 		cmpopts.IgnoreUnexported(elbv2types.AuthenticateCognitoActionConfig{}),
 		cmpopts.IgnoreUnexported(elbv2types.AuthenticateOidcActionConfig{}),
+		cmpopts.IgnoreUnexported(elbv2types.JwtValidationActionConfig{}),
+		cmpopts.IgnoreUnexported(elbv2types.JwtValidationActionAdditionalClaim{}),
 		cmpopts.IgnoreUnexported(elbv2types.FixedResponseActionConfig{}),
 		cmpopts.SortSlices(func(lhs elbv2types.Action, rhs elbv2types.Action) bool {
 			if lhs.Order == nil || rhs.Order == nil {
 
@@ -500,3 +500,33 @@ func (t *Transform) Validate() error {
 	}
 	return nil
 }
+
+// The format of an additional claim's value(s) used in JWT validation.
+type jwtAdditionalClaimFormat string
+
+const (
+	FormatSingleString         jwtAdditionalClaimFormat = "single-string"
+	FormatStringArray          jwtAdditionalClaimFormat = "string-array"
+	FormatSpaceSeparatedValues jwtAdditionalClaimFormat = "space-separated-values"
+)
+
+// An additional claim to validate during JWT validation.
+type JwtAdditionalClaim struct {
+	// The format of the claim value(s).
+	Format jwtAdditionalClaimFormat `json:"format"`
+	// The claim name.
+	Name string `json:"name"`
+	// The claim values.
+	Values []string `json:"values"`
+}
+
+// Information about an action that performs JSON Web Token (JWT) validation prior to the routing action.
+type JwtValidationConfig struct {
+	// The JSON Web Key Set (JWKS) endpoint containing the public keys used to verify the JWT.
+	JwksEndpoint string `json:"jwksEndpoint"`
+	// The issuer of the JWT.
+	Issuer string `json:"issuer"`
+	// Any additional claims in the JWT that should be validated.
+	// +optional
+	AdditionalClaims []JwtAdditionalClaim `json:"additionalClaims,omitempty"`
+}
@@ -30,10 +30,11 @@ const (
 // It contains additional routing conditions and authentication configurations we parsed from annotations.
 // Also, when magic string `use-annotation` is specified as backend, the actions will be parsed from annotations as well.
 type EnhancedBackend struct {
-	Conditions []RuleCondition
-	Transforms []Transform
-	Action     Action
-	AuthConfig AuthConfig
+	Conditions          []RuleCondition
+	Transforms          []Transform
+	Action              Action
+	AuthConfig          AuthConfig
+	JwtValidationConfig *JwtValidationConfig
 }
 
 type EnhancedBackendBuildOptions struct {
@@ -151,11 +152,18 @@ func (b *defaultEnhancedBackendBuilder) Build(ctx context.Context, ing *networki
 		}
 	}
 
+	var jwtValidationConfig *JwtValidationConfig
+	jwtValidationConfig, err = b.buildJwtValidationConfig(ctx, ing.Annotations)
+	if err != nil {
+		return EnhancedBackend{}, err
+	}
+
 	return EnhancedBackend{
-		Conditions: conditions,
-		Transforms: transforms,
-		Action:     action,
-		AuthConfig: authCfg,
+		Conditions:          conditions,
+		Transforms:          transforms,
+		Action:              action,
+		AuthConfig:          authCfg,
+		JwtValidationConfig: jwtValidationConfig,
 	}, nil
 }
 
@@ -307,6 +315,41 @@ func (b *defaultEnhancedBackendBuilder) buildAuthConfig(ctx context.Context, act
 	return b.authConfigBuilder.Build(ctx, svcAndIngAnnotations)
 }
 
+// Parse annotations to construct JWT validation config model
+func (b *defaultEnhancedBackendBuilder) buildJwtValidationConfig(_ context.Context, ingAnnotation map[string]string) (*JwtValidationConfig, error) {
+	jwtValidationConfig := JwtValidationConfig{}
+	exists, err := b.annotationParser.ParseJSONAnnotation(annotations.IngressSuffixJwtValidation, &jwtValidationConfig, ingAnnotation)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, nil
+	}
+
+	// Ensure required fields are present
+	if jwtValidationConfig.JwksEndpoint == "" {
+		return nil, errors.Errorf("jwksEndpoint is a required field for jwt validation")
+	}
+	if jwtValidationConfig.Issuer == "" {
+		return nil, errors.Errorf("issuer is a required field for jwt validation")
+	}
+
+	// If additional claims are present, ensure each additional claim's required fields are present as well
+	for _, additionalClaim := range jwtValidationConfig.AdditionalClaims {
+		if additionalClaim.Format == "" {
+			return nil, errors.Errorf("format is a required field for additional claims for jwt validation")
+		}
+		if additionalClaim.Name == "" {
+			return nil, errors.Errorf("name is a required field for additional claims for jwt validation")
+		}
+		if len(additionalClaim.Values) == 0 {
+			return nil, errors.Errorf("values must not be empty for additional claims for jwt validation")
+		}
+	}
+
+	return &jwtValidationConfig, nil
+}
+
 // build503ResponseAction generates a 503 fixed response action when forward to a single non-existent Kubernetes Service.
 func (b *defaultEnhancedBackendBuilder) build503ResponseAction(messageBody string) Action {
 	return Action{