JWT token and mTLS switching

Hi,
this my current configuration:

   tls:
        refreshInterval: 0s
        expirationChecks:
            warningWindow: 0s
            errorWindow: 0s
            checkInterval: 0s
        internode:
            # This server section configures the TLS certificate that internal temporal
            # cluster nodes (history or matching) present to other clients within the Temporal Cluster. 
            server:
                requireClientAuth: false

                certFile: /test/server/certs/cluster.pem
                keyFile: /test/server/certs/cluster.key
                clientCaFiles:
                    - /test/server/certs/ca.cert

                certData: 
                keyData: 
            
            # This client section is used to configure the TLS clients within
            # the Temporal Cluster that connect to an Internode (history or matching)
            client:
                serverName: tls-sample
                disableHostVerification: true
                rootCaFiles:
                    - /test/server/certs/ca.cert
        frontend:
            # This server section configures the TLS certificate that the Frontend
            # server presents to all clients (specifically the Worker role within
            # the Temporal Cluster and all External SDKs connecting to the Cluster)
            server:
                requireClientAuth: true
                certFile: /test/server/certs/cluster.pem
                keyFile: /test/server/certs/cluster.key
                clientCaFiles:
                    - /test/server/certs/ca.cert

                certData: 
                keyData: 
            
            # This client section is used to configure the TLS clients within
            # the Temporal Cluster (specifically the Worker role) that connect to the Frontend service
            client:
                serverName: tls-sample
                disableHostVerification: false
                rootCaFiles:
                    - /test/server/certs/ca.cert

I would implement the following two cases:

  1. connection with worker (A2A) → use mTLS with no JWT
  2. connection with tctl (U2A) → use onely JWT without mTLS

I use tctl with no certs I observe that the request is blocked and the code GetClaims is not reached (it seems that the “requireClientAuth: true” set “tls.RequireAndVerifyClientCert” and so only a client with valid certificate is accepted)

Otherwise if I set “requireClientAuth: false” no certificate is taken into consideration and so I cannot implement “case 1”

Thanks
Regards