Dex Istio authorization

Hello, I have a question about Authorization inside Istio, on cluster I use Istio and Dex as OIDC provider, now I want to create some authorization of users on ingress gateway level.
How workflow is now looks like.
Some User go on https://my-domain.com then user is forwarded to https://my-domain.com/dex for authenticate he can use google connector that is implemented in Dex, if user correct authenticate is moved back to https://my-domain.com.
Now I have some others routes like https://my-domain.com/kibana I want to check if user email have access to this route, i want to not all users be able to go on this route.

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: istio-ingressgateway
  jwtRules:
    - issuer: "https://my-domain/dex"
      jwksUri: "https://my-domain/dex/keys"
      outputPayloadToHeader: "x-jwt"
      forwardOriginalToken: true
      fromHeaders:
        - name: Authorization
          prefix: "Bearer "
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: kibana-authorization
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: istio-ingressgateway
  action: ALLOW
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/kibana"]
    when:
    - key: request.auth.claims[email]
      values: ["hubert@example.com"]

I want to only access user with email as above.


apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: logs-kibana
  namespace: monitoring
spec:
  hosts:
  - "*"
  gateways:
  - kubeflow/kubeflow-gateway
  http:
  - match:
    - uri:
        prefix: "/kibana"
    route:
    - destination:
        host: kibana.monitoring.svc.cluster.local
        port:
          number: 5601

This solutions didn’t work, I think Dex is not returning JWT tokens, or we not pass this tokens when requesting from web browser. Did anyone try to do something like this or its not achievable ?