add requireJwt field in RequestAuthentication

[tanujd11]

Problem:
Istio's RequestAuthentication has hardcoded allowMissing behavior, requiring users to combine it with AuthorizationPolicy to enforce JWT presence. This results in:

• HTTP status 403 Forbidden instead of 401 Unauthorized for missing JWT which could be a requirement.
• Missing WWW-Authenticate header (RFC 7235).

Solution:

• Add bool require_jwt = 15; field to JWTRule message.
• When true: Missing JWT → 401 Unauthorized + WWW-Authenticate: Bearer header from envoy proxy.
• When false (default): Current behavior (JWT optional).

Istio PR will be taken up if this is acceptable.

[istio-policy-bot]

😊 Welcome @tanujd11! This is either your first contribution to the Istio api repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[istio-testing]

@tanujd11: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
release-notes_api	a6c960e	link	false	/test release-notes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[howardjohn]

IIUC this is not really accidentally missing, but an intentional decision to decouple authentication and authorization. cc @louiscryan @costinm

[tanujd11]

With that being said is there anything stopping us from adding this as a feature without changing the default behaviour for backwards compatibility as this could be a requirement and it is also a feature in envoy(not exposed by Istio) where no header mean unauthorised(so that authn could be retried) instead of denied which is hardcoded in Istio?