JWT tokens propagation between multiple clusters

I have 2 k8s clusters with istio 1.5 authentication and jwt token enabled.

Authentication works with JWT tokens custom headers x-jwt-cluster1/x-jwt-cluster2.

I need to make an external call to app1 in cluster1,
then app1 should call app2 in cluster2.

But when I use in single call 2 jwt tokens with headers x-jwt-cluster1 and x-jwt-cluster2 and I call app1 (cluster1) which then has to call -> app2 (cluster2) I get 500/403 RBAC permission denied error

Please suggest how it’s possible to deal with this case. I know it’s possible to use EnvoyFilter to propagate headers between services, but I’d prefer to step on something more istio-like/standard solution

Also an option with using forwardOriginalToken didn’t work


    - fromHeaders:
      - name: x-jwt-cluster1
      issuer: dev@example.com
      jwks: MYPARAMS
      - x-jwt-cluster1
        app: my-app