Background
We are attempting to ensure that the Authorization (Bearer) token from client requests is consistently forwarded and available to all downstream services in our Kubernetes/Istio environment. This is required for authentication/authorization at each hop (sidecar → app, service-to-service).

Environment
Kubernetes
Istio
Envoy

What We've Tried

1. EnvoyFilter: header_to_metadata / metadata_to_header
   Approach: Copy Authorization header to dynamic metadata and then back into outbound headers.
   Outcome: Inbound copy works, but outbound injection is not reliable. Metadata doesn’t persist across the filter chain as expected.

2. Lua Filter for Header Propagation
   Approach: Use Lua to read the Authorization header and inject it in outbound requests.
   Outcome: Lua script can access inbound headers, but does not always have access to the original token for outbound requests, due to Envoy's internal context limitations. Logging confirms header loss after ingress, especially for non-HTTP/1.1 hops.

References
Istio Discuss: Passing Authorization Headers Automatically/JWT Between Microservices

Conclusion / Request
After multiple approaches and extensive testing, it appears there is no robust, transparent, infrastructure-level method to propagate the original Authorization header (Bearer token) across all hops in Istio with current Envoy/Lua capabilities. All solutions either break at the filter chain boundary, lose header context, or require intrusive application code changes.

If any new methods exist, or if I’ve missed something, please advise. Otherwise, we will need to ask all developers to include token propagation as part of the application code.