A valid token proves who you are. It says almost nothing about what you're actually allowed to do.
That gap is where most authorization architectures silently collapse — and where botnets quietly walk in.
I published a deep-dive on Medium covering the full picture of what happens after token validation — the layer most applications get dangerously wrong.
What's covered:
Why JWTs aren't enough
JWTs encode static claims at issuance time. Authorization decisions are almost never static. Resource state, approval workflows, time-based rules, and revocation events all live outside the token.
The four authorization models
RBAC, ABAC, ReBAC, and Policy-as-Code — when each applies, and when you need to combine them.
Open Policy Agent (OPA) — in depth
Full Rego policy walkthrough, real HTTP request/response, unit test examples, and Kubernetes admission control via Gatekeeper.
The policy engine landscape
Honest tradeoffs between OPA, Cedar (AWS), Cerbos, Casbin, and SpiceDB — including who each one is actually best for.
Threat-aware authorization
How botnets pass authentication and exploit weak authorization, how to wire IP reputation, velocity, and device signals into your OPA policy, and why BOLA has been OWASP's #1 API security risk since 2019.
👉 Read the full article on Medium: AuthZ
(Part 1 — covering OAuth 2.0, OIDC, SAML, JWT internals, Okta vs Keycloak — is linked at the top of the article.)
Top comments (0)