I have created authorization policy as shown below and specified rules to apply for GET and POST Method which includes the path. If Rest endpoint contains account in the path then check whether scope includes “yzx”. But If I send scope “xyz” for account API it is not throwing 403 error.
apiVersion: “security.istio.io/v1beta1”
kind: “AuthorizationPolicy”
metadata:
name: “auth-policy”
spec:
selector:
matchLabels:
app: billing
rules:
- to:
- operation:
methods: [“GET”]
path: [“customerBill/”]
when:
- key: request.auth.claims[scope]
values: [“xyz”]
- to:
- operation:
methods: [“GET”]
path: [“account/”]
when:
- key: request.auth.claims[scope]
values: [“yzx”]
- to:
- operation:
methods: [“POST”]
when:
- key: request.auth.claims[scope]
values: [“abc”]
Am I missing something?