Istio AuthService not redirecting on initial request (or ever, as far as that goes)

I am attempting to integrate OIDC with Istio using the AuthService project. I’ve been following the bookinfo-example with the one big change being that I’m trying to use Azure AAD’s OIDC support for my IDP instead of Google. However, I’ve as yet been unable to get the AuthService to redirect my request to the IDP for sign-in. If I leave the RequestAuthentication and AuthorizationPolicy objects undeployed, then I’m able to access the /productpage with no problem (but with no redirect to login) and if I do deploy those objects, I’m simply met with an “Access Denied” error (and, again, no redirect for login).

Here’s what my setup looks like so far:

K8S: Azure Kubernetes Service
Istio: 1.18.2
Authservice: 0.5.3
  1. authservice and bookinfo pods are deployed, everything is running, and Istio sidecars are injected:
    kubectl -n default get pods
    NAME                              READY   STATUS    RESTARTS   AGE
    authservice-6bbff64c85-mblwn      2/2     Running   0          20m
    details-v1-6997d94bb9-xblrj       2/2     Running   0          55m
    productpage-v1-58b4c9bff8-n2rfz   2/2     Running   0          55m
    ratings-v1-b8f8fcf49-s7kqt        2/2     Running   0          55m
    reviews-v1-5896f547f5-t9htt       2/2     Running   0          55m
    reviews-v2-5d99885bc9-qcd8h       2/2     Running   0          55m
    reviews-v3-589cb4d56c-gw7xj       2/2     Running   0          55m

  1. I’ve made the change to the Mesh config to enable the envoyExtAuthzGrpc extensionProvider for the AuthService:
    kubectl edit cm -n istio-system

    mesh: |-
      accessLogFile: /dev/stdout
      - name: "authservice-grpc"
          service: authservice.default.svc.cluster.local
          port: "10003"
        concurrency: 16
        discoveryAddress: istiod.istio-system.svc:15012

  1. The authservice container looks to be in OK shape. The readiness probe failed a few times as it was starting, but it shows as “Ready” now. Everything else seems to look good at first blush:
       Container ID:   
       Image ID:
       Port:           10003/TCP
       Host Port:      0/TCP
       State:          Running
        Started:      Mon, 16 Oct 2023 14:38:24 -0400
       Ready:          True
       Restart Count:  0
       Readiness:      http-get http://:15020/app-health/authservice/readyz delay=0s timeout=1s period=10s #success=1 #failure=3
  1. The Gateway seems OK. And I can access the page via the Gateway OK, as long as the RequestAuthentication and AuthorizationPolicy aren’t deployed, so I don’t think there’s any issue here:
    kubectl -n default describe gw
    Name:         bookinfo-gateway
    Namespace:    default
    API Version:
    Kind:         Gateway
      Creation Timestamp:  2023-10-16T18:38:22Z
      Generation:          1
      Resource Version:    59762766
      UID:                 9ab0c00c-892f-4ad1-99da-7f04e1e9b877
        Istio:  ingressgateway

          Name:      https-443
          Number:    443
          Protocol:  HTTPS
          Credential Name:  ingress-tls-cert
          Mode:             SIMPLE

  1. My values.yaml looks like this:
      # image:
      # How the authservice will be enabled and enforced.
      # This can be at ingress (by default) or at application sidecar.
      enforcingMode: ingress
      authorizationURI: ""
      tokenURI: ""
      clientID: your-client-id
      clientSecret: your-client-secret
      # JSON string containing the identity provider's public key for validating id token.
      # jwks: "<>"

EDIT: I thought maybe the problem was that I didn’t have the EnvoyFilter, declared in “productpage-external-authz-envoyfilter-sidecar.yaml”, deployed. The README doesn’t seem to mention that file, so not sure if it’s needed by default or not. But I deployed that and it didn’t make any different, FWIW.

Anybody have any thoughts on what could be going on here?