I think this glosses on a very important part, which is just named in passing: "how do you actually know that bob is bob, and how do you trust that?"
article answer is 'user role [..] attached to a JWT' but that only really applies if you control your distributed microservice system, if you need to scale to etherogeneus identities you need to get into the magic world of federated authorities
I agree that identity is important, but I would argue that challenge lies in authn and would be it’s own separate article. This focus was on authz. We are assuming we trust the passed in identity at this point. Eg user has authned, session is established, and we trust that the identity has been passed securely from downstream.
article answer is 'user role [..] attached to a JWT' but that only really applies if you control your distributed microservice system, if you need to scale to etherogeneus identities you need to get into the magic world of federated authorities
and that is where the pain really is.