Here's what I want: Istio 1.6.4 in Kubernetes acting as the ingress. oauth2-proxy wrapped around one application, not the whole cluster. OpenID Connect support for Azure AD - both interactive OIDC and support for client_credentials OAuth flow. Istio token validation in front of the app. No replacing the Istio sidecar.