Istio, jwts in cookies... how?

I’m puzzled; I was trying to implement istio/auth0 as in the article Authenticating and Authorizing end-users with Istio and Auth0, and most everything went well except my AuthorizationPolicy isn’t responding.

I know it’s more or less working because I can change whitelisted routes (a to: operation: paths fallback rule) and see the results. But anything that requires authentication (even source: requestPrincipals: ["*"]) fails.

My suspicion is that the browser is not sending an Authorization: (or x-auth… whatever) header; Flask stores the user access token in a mildly encrypted session cookie. I can store it in a named cookie (say access_token) and that shows up in requests, but I can’t get Istio to see it; I’m sure there’s a way using filters (I had a brief experiment with a jwt_authn filter to no avail; not sure how to add headers there).

I feel rather foolish because surely this is a pretty common use case, yet I’m completely baffled and running out of time to keep exploring. I still like what I see about internal traffic routing but it would be nice to put as much security in the infrastructure as we can and keep the software as clean as possible. How should I proceed? I saw Use Istio for authorisation: how to redirect to login page and how to use JWT cookies and EnvoyFilter in ingressgateway does not seem to work and am not having much luck with either approach.

…halp?