Need help first setup ibm appid on kubernetes and istio

Question

I am trying to setup a first oidc and jwt token with ibm app identity and access adapter and after everything installed it miss something and I can't understand what.

Version

Istio 1.5

Kubernetes 1.17

ibm app id: stable helm repo

helm: 3.2

First step: install Istio with the getting started part.

I followed this steps: https://istio.io/docs/setup/getting-started/

Second step: ibm app identity and access adapter

I installed following the instruction on the readme. I just had to change the command to use helm3 as I am on kubernetes 1.17.

Third step:

Adding the config:

# socio-jwt.yaml
apiVersion: "security.cloud.ibm.com/v1"
kind: JwtConfig
metadata:
  name: socio-jwt
  # namespace: default 
  namespace: istio-system # tried with both default and istio-system
spec:
  jwksUrl: https://sso.staging.infra-socotec.net/auth/realms/socotec-user/protocol/openid-connect/certs

# socio-keycloak-oidc.yaml
apiVersion: "security.cloud.ibm.com/v1"
kind: OidcConfig
metadata:
  name: socio-keycloak-oidc
  # namespace: default 
  namespace: istio-system # tried with both default and istio-system
spec:
  discoveryUrl: https://sso.staging.infra-socotec.net/auth/realms/socotec-user/.well-known/openid-configuration
  clientId: 1234-abcd-efgh-4567
  clientSecret: <name-of-my-kube-secret> # I use a real one here of course
  # clientSecretRef:
  #     name: <name-of-my-kube-secret>
  #     key: <key-in-my-kube-secret>

# socio-oidc-policy.yaml
apiVersion: "security.cloud.ibm.com/v1"
kind: Policy
metadata:
  name: socio-oidc-policy
  # namespace: default 
  namespace: istio-system # tried with both default and istio-system
spec:
  targets:
    - serviceName: productpage # internal service name
      paths:
        - prefix: /productpage
          method: ALL
          policies:
            - policyType: oidc
              config: socio-keycloak-oidc

        - prefix: /api/v1
          method: ALL
          policies:
            - policyType: jwt
              config: socio-jwt
    - serviceName: bookinfo # external virtual service name see https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/bookinfo-gateway.yaml
      paths:
        - prefix: /productpage
          method: ALL
          policies:
            - policyType: oidc
              config: socio-keycloak-oidc

        - prefix: /api/v1
          method: ALL
          policies:
            - policyType: jwt
              config: socio-jwt

I used this commands to add the config (if namespace was istio-system I added the -n istio-system option):

kubectl apply -f istio-yaml/socio-jwt.yaml

kubectl apply -f istio-yaml/socio-keycloak-oidc.yaml

kubectl apply -f istio-yaml/socio-oidc-policy.yaml

Global kubernetes info:

Kubernetes global informations

Ibm app id log:

log

I am kind of stuck now. Everything seem good but when I navigate to http://in51aonvlo.lb.c1.gra.k8s.ovh.net/productpage or http://in51aonvlo.lb.c1.gra.k8s.ovh.net/api/v1/products there is no authentication.

I certainly miss something but I need some help to figure out what.