Is it possible to "chain" AuthorizationPolicies?

Hi all, I have a question about using AuthorizationPolicy to accomplish a specific scenario. In particular, I have set things up with a CUSTOM action and OAuth2-Proxy so that traffic hitting my Ingress Gateway, targeted to host, is sent through OAuth2-Proxy and Dex for login. After logging in I am then able to access the httpbin pod, as expected.

But… what I would like to do is further processing after the login, so I can, for example, permit access to a particular workload for some whitelisted set of users, but not “everybody who can login” and then conversely gate access to a different workload to a different set of users.

My naive thought would be to have the initial CUSTOM action based AuthorizationPolicy scoped to the Ingress Gateway to trigger the OAuth login, and then have subsequent AuthorizationPolicies scoped to the specific workloads, and that inspect the user principal from the headers provided by the OAuth flow.

Is this a reasonable understanding? If not, is there another way to achieve the same overall effect?

There can be only one ext authz provider supported

I’m not talking about having multiple CUSTOM AuthorizationPolicies. I’m talking about one CUSTOM one to trigger the OAuth flow, and then potentially one or more regular AuthorizationPolicies that use the credentials provided by the OAuth flow to make Authorization decisions.

Does anyone know if that scenario can work or not?