Does Authorization Policy Conditions support object array value for request.auth.claims?

Hello,

I am integrating Keycloak with Istio Security as of version 1.4.3, I would like to access the permissions from the payload of JWT, but cannot access the deeper json path scopes.

The payload from JWT as below:

{
    "jti": "b8063b15-8a8e-4717-b3a9-33d466628b1f",
    "exp": 1581788041,
    "nbf": 0,
    "iat": 1581780841,
    "aud": "bookinfo",
    "typ": "Bearer",
    "auth_time": 0,
    "acr": "1",
    **"permissions": [
        {
            "scopes": [
                "httpbin:headers"
            ],
            "rsid": "b7e88219-2adf-4d70-baad-6d5386d4606a",
            "rsname": "httpbin"
        }**
    ],
    "active": true
}

The config of AuthorizationPolicy as below, if a request to httpbin/headers, the ISTIO security would check the json path of request.auth.claims.permissions.scopes to see whether with the value of “httpbin:headers” assigned, but it seems request.auth.claims only supports the 1st tier key and the value of string map.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: api-gateway-httpbin
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        namespaces: ["istio-system"]
    to:
    - operation:
        paths: ["/headers"]
    when:
    **- key: request.auth.claims[permissions][scopes]** It seems doesn't work, how to config it correctly or current not support?
      values: 
        - httpbin:headers

Thank you in advance!
Anderson