Hi Dean! Just to confirm, you wanna do the following:
Ingress Gateway -> Service1 -> Service2 -> Service3
The JWT is provided to the Ingress Gateway in the Authorization header and you want to add that same header to your call to Service 2 and so on, right?
I don’t see how to do that automatically, since it would be very hard for Istio (or any other proxy) to correlate the incoming TCP Socket to the outgoing TCP Socket (i.e., to know they belong to the same http or grpc request). From Istio’s point of view, the outgoing socket could belong to any request received or even started by an internal job of your application. It also cannot determine which thread in your application was responsible for handling a specific request.
The outputPayloadToHeader is used so The Proxy can outputs the base64(jwt_json), for a successfully verified JWT received by the Proxy, to your application under a new Header of your choice (i.e. the value of outputPayloadToHeader itself).
You could, instead, build a client library for making requests from your service to another that is able to lookup the original request and bypass the header on every call you make (something like a session).
Hope this helps