istio
Allow OAUTH2 JWT scope attribute condition to authorization policy
(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)
Describe the feature request istio authorization api support scope attribute in conditions. These are the currently supported conditions --> https://istio.io/latest/docs/reference/config/security/conditions/ It support claims. But not scopes Describe alternatives you've considered I can use claims in the JWT token and use claims matching , however in OAUTH2 standards scope is the correct way to describe if the token is allowed access to a particular resourse. These are the list of support condition attributes https://istio.io/latest/docs/reference/config/security/conditions/ There is request.auth.claims. I would like to also have Istio support request.auth.scope as auth policy condition. I understand OPA policy evaluation supports scope, but it makes sense to add scope validation within Istio's own Authorization policy since claim verification is already supported. Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure [ ] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ X] Security [ ] Test and Release [ ] User Experience
Additional context
