Order of execution of Istio Authentication Policy and Mixer-based authorization : Istio 1.3

I have an Istio 1.3 cluster with an end-user JWT Authentication policy attached to a microservice. I also have an Authorization Mixer adapter setup for runtime authorization check.

I would expect that the authentication policy kicks in first, followed by authorization. But the reverse seems to be happening , and if a client sends a request without any credentials, client gets a 403(mixer-authorization-denied error) , whereas they should receive a 401 Authentication Denied error.

This has other ramifications, because since the authorization happens before authentication, the authorization request.auth.principal attribute is not set . Setting this attribute requires authentication to take place first.