Oauth2-proxy not working with paths in authorization policy

1

Hello,

I have such AuthorizationPolicy:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth2-{{ .Values.environment }}
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ephemeral-istio
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
    - to:
        - operation:
            hosts:
              - "mailhog.{{ .Values.global.domain }}"
              - "dbgate.{{ .Values.global.domain }}"
    - to:
        - operation:
            hosts:
              - "api2.{{ .Values.global.domain }}"
            paths:
              - "/horizon/*"
              - "/telescope/*"

First 2 hosts are working like they should but with eg horizon when i want to open it it is showing me oauth2-proxy form but when i click “Sign in with gooogle” its redirect me to:

https://api2.maindomain.com/oauth2/start?rd=%2Fhorizon%2F

with “404 not found” in oauth2-proxy logs i have:

[2023/06/27 20:58:28] [oauthproxy.go:959] No valid authentication in request. Initiating login.
127.0.0.6:53037 - 57221e80-9689-4e6d-a3d5-f034f30f8a16 - - [2023/06/27 20:58:28] api2.web1.maindomain.com GET - "/horizon/" HTTP/1.1 "" 403 8498 0.000

My helm config for oauth2-proxy:

config:
    # Add config annotations
    annotations: {}
    # OAuth client ID
    clientID: "XXXX.apps.googleusercontent.com"
    # OAuth client secret
    clientSecret: "XXXXX"
    # Create a new secret with the following command
    # openssl rand -base64 32 | head -c 32 | base64
    # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
    # Example:
    # existingSecret: secret
    cookieSecret: "XXXX"
    # The name of the cookie that oauth2-proxy will create
    # If left empty, it will default to the release name
    cookieName: ""
    google:
      {}
      # adminEmail: xxxx
      # useApplicationDefaultCredentials: true
      # targetPrincipal: xxxx
      # serviceAccountJson: xxxx
      # Alternatively, use an existing secret (see google-secret.yaml for required fields)
      # Example:
      # existingSecret: google-secret
      # groups: []
      # Example:
      #  - group1@example.com
      #  - group2@example.com
    # Default configuration, to be overridden
    configFile: |-
      email_domains = [ "*" ]
      upstreams = "static://200"
      set_xauthrequest = true
      set_authorization_header = true
      pass_authorization_header = true 
      pass_host_header = true
      pass_access_token = true

Rest values are default.

I added to google api2.maindomain.com and redirect url api2.mainomain.com/oauth2/callback

`

What am i missing? Why same settings are working for domain but not for paths?