Chain of Authentication and Authorization in Istio-Ingress

We have micro-services deployed in K8s with Istio as service mesh and exposed using Istio-Ingress.

Now, we would like to add AuthN and AuthZ using Istio-Ingress ingress controller.

  1. We would like do Oauth2-OpenID in Istio-Ingress/Gateway controller. The jwt token returned from OIDC is having UUID of user, but not his UserGroup.
  2. We have k8s service which has mapping of user UUID and UserGroup (Backend dynamodb). So we need to retrieve group of user.
  3. We have OPA (open policy agent) based rules for AuthZ of service APIs against UserGroup. So service APIs/urls have to be verified against UserGroup.
  4. Once after successful AuthN and AuthZ, http headers with user UserGroup, UUID should be passed to upstream services.
  5. Also we need to set downstream cookies with user UUID, UserGroup for client apps to use it.

All these above 5 steps can be performed in bit and pieces. But, not together as chain of proxies/chain of AuthFilters.
Is there a way to do these in ‘Istio-Ingress’ ingress/gateway controller?