I have an Istio 1.3 cluster with an end-user JWT Authentication policy attached to a microservice. I also have an Authorization Mixer adapter setup for runtime authorization check.
I would expect that the authentication policy kicks in first, followed by authorization. But the reverse seems to be happening , and if a client sends a request without any credentials, client gets a 403(mixer-authorization-denied error) , whereas they should receive a 401 Authentication Denied error.
This has other ramifications, because since the authorization happens before authentication, the authorization request.auth.principal attribute is not set . Setting this attribute requires authentication to take place first.