Istio returns error code 403 in case no Auth header is present
Current behaviour: For Azure CSP, we use Istio to provide authentication and a part of authorization. The sequence of events is Istio first authenticates the request then it does the partial authorization work. If there is an Authorization header present, the authentication step would check for the token passed and decide whether it is valid or not. However, if there is no auth header at all, Authentication step doesn't block the request. It silently passes it to authorization part. And the authorization fails, as there was no auth info to begin with. Hence it fails.
Expected behaviour: The server that required authentication should throw 401 instead of 403
Refer this RFC https://tools.ietf.org/html/rfc2616#section-10.4.2 cc: @kiveerap