Cannot get EnvoyFilter ext_authz to work

The idea is to use Istio (v1.6.1) authenticate a service (httpbin here) with an external IDP (Dex) via an OAuth proxy. For the sake of completeness I will put all the code here.

The filter seem to be intercepting on port 80 but the patch to ext.authz doesn’t seem to do anything. It just times out even though the service on the uri is up and accessible. The outbound cluster is also accessible and listed in the istio proxy of the httpbin pod.

Filter:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: httpbin
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 80
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.ext_authz
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
          http_service:
            server_uri:
              uri: http://oauthproxy-service.default.svc.cluster.local
              cluster: outbound|4180||oauthproxy-service.default.svc.cluster.local:4180
              timeout: 3s

Other pieces:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
  namespace: foo
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - route:
    - destination:
        port:
          number: 8000
        host: httpbin.foo.svc.cluster.local

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
  namespace: foo
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
  namespace: foo
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

--
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: oauth2-proxy
  template:
    metadata:
      labels:
        k8s-app: oauth2-proxy
    spec:
      containers:
        - args:
            - --cookie-secure=false
            - --upstream=file://dev/null
            - --http-address=0.0.0.0:4180
            - --cookie-secret=changeme
            - --client-id=changeme
            - --client-secret=changeme
            - --email-domain="*"
            - --provider=oidc
            - --provider-display-name="Dex oidc"
            - --redirect-url=http://10.106.200.144:4180/oauth2/callback
            #following should match what is configured in dex
            - --oidc-issuer-url=http://192.168.64.1:5556/dex

          image: quay.io/pusher/oauth2_proxy:v5.1.1
          imagePullPolicy: Always
          name: oauth2-proxy
          ports:
            - containerPort: 4180
              protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauthproxy-service
  namespace: default
spec:
  ports:
    - name: http
      port: 4180
      protocol: TCP
      targetPort: 4180
  selector:
    k8s-app: oauth2-proxy

I can see in the forum few similar questions most of them with no final outcome. I am suspecting the viability of this solution using filters altogether.

this is the filter that eventually worked for me

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
  #namespace: istio-system
  namespace: foo
spec:
  workloadSelector:
    labels:
      app: httpbin
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 80
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value:
        #name: envoy.filters.http.ext_authz
        name: envoy.ext_authz
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
          http_service:
            server_uri:
              uri: http://oauthproxy-service.default.svc.cluster.local:4180
              cluster: outbound|4180||oauthproxy-service.default.svc.cluster.local
              timeout: 3s

            authorizationRequest:
              allowedHeaders:
                patterns:
                - exact: "cookie"