How to add the JWT to ALL services if the user got authentication from a OIDC provider

Hi Everyone,
I want to know how to accomplish my requirement as below:

  1. I have some applications expose to outside via the gateway and virtual service. let’s say three applications: demo1dot domain dot com, demo2 dot domain dot com, demo3 dot domain dot com . (sorry as a new user, I can’t put more than 4 link in the post)

  2. These applications will access the cluster-internal level APIs(actually they are still virtual service). let’s say there are two APIs: api1.default.svc.cluster.local, api2.default.svc.cluster.local

  3. I have configured the OIDC provider, and assuming the the callback url I configured is

  4. What I want to achieve is: when an unauthenticated user access different domain like can also redirect to the configured OIDC provider and return back to finally , in the same time, when the applications try to access the APIs, it will carry the jwt token to the API, and the API will have logic to check if this application has permission to access itself.

I am using the CUSTOM + extensionProviders(oauth2-proxy) solution now which can be searched in Google, but my issue is I have many applications, and it’s impossible for me to configure all the applications in the OIDC provider. So I want to only configure one single application in OIDC provider, it will sever for all applications. and once the OIDC provider pass the authentication, I hope there is some interception in Istio to know which application should receive the jwt token. and later on, if user want to access others application, or access the APIs, then Istio will firstly check the jwt token is valided or not, if valid, then no need to go to the OIDC again, otherwise start the authentication process.

any help will be great appreciated