How do I integrate envoy as a gateway, auth0 as an authentication system and OPA as an authorization system?

I'm working on a server configuration with:

• envoy proxy as a gateway, with a simple python web server behind it to serve web pages and API calls.
• Auth0 to authenticate my users.
• OPA as the Authorization system.

I've used a docker-compose.yml similar to this to create the envoy and OPA setup. I've implemented the Auth0 with OPA installation guide, so I have the Auth0 data in my encrypted session cookie after login (on which the authorization logic will work on). I've also found useful resources like this, that implement almost the exact flow I'm looking for.

All implementations, examples and guides I've found do not use this exact configuration, and have an additional piece of code that decodes the session data from the cookie, and extracts the user info (id_token) before calling the OPA service. Sometimes as part of the web server code (which defeats the purpose of the envoy gateway in my case).

I feel very close to an elegant design with little or no boiler plate code and with no overlap in responsibility between services. What am I missing? Is there an envoy filter that extracts the encrypted session from the cookie I should use before calling OPA? Perhaps OPA can decrypt the session data from the cookie?

Is there something inherently wrong in my design?

The best solution I came up with (especially in a docker-compose environment) is:

1. The standard Envoy Proxy docker image (envoyproxy/envoy)
2. The standard OPA docker image (openpolicyagent/opa)
3. The built-in Envoy OAuth filter (envoy.filters.http.oauth2). It would have been great if I could find an envoy OIDC implementation, but this ticket (https://github.com/envoyproxy/envoy/issues/21982) suggests there isn't much interest in it. I'm not sure why... For a web based solution, the filter will route the IdToken from the authentication service, to the browser cookie.
4. The built-in Envoy External Authorization filter (envoy.filters.http.ext_authz) configured to point to the OPA service. This filter routes the cookie (with the IdToken) to the OPA service, allowing permissions based on user info from the auth service.
5. The built-in Envoy JWT filter (envoy.filters.http.jwt_authn), configured with remote_jwks to get authentication info directly from Auth0 (in my case)
6. Your backend services (web or API). They will not need any authentication / authorization logic.
7. An Auth0 account set up (in my case) for the envoy auth filter to work with. One might want to put user authorization data there.

In this solution, there is ZERO boilerplate code. No extra plugins to build into envoy, etc. Every component is separately configured using config files (OPA rego policy file, envoy yaml, and docker-compose to connect everything).

It was slightly difficult to find documentation to configure things correctly. Please comment if you'd like me to share more details.