We need specifying meshConfig in Operator CRDs feature, such that we can configure extensionProviders e.g. envoyExtAuthzHttp for OIDC code flow to protect microservices in mesh level.

below is meshConfig of extensionProviders from istio API.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    extensionProviders:
    - name: oauth2-proxy
      envoyExtAuthzHttp:
        service: oauth2-proxy.oauth2-proxy.svc.cluster.local
        port: 4180
        includeRequestHeadersInCheck:
        - cookie
        headersToUpstreamOnAllow:
        - authorization
        headersToDownstreamOnDeny:
        - set-cookie

This allows users to configure the authorization providers that can be referenced within a CUSTOM AuthorizationPolicy. See Istio documentation for External Authorization.

To test, we will need to mock up a flow to use with an authorization provider.  Using the OpenShift authorization endpoint may be a possibility, but if that doesn't work, we'd need to setup some sort of server to handle authorization (e.g. keycloak).