Q: Where should you enforce your authorization policy?
A: Everywhere you can!
There are four common scenarios and enforcement points for a defense-in-depth strategy:
⚡ during the authentication ceremony
⚡ in the resource server
⚡ at the API gateway
⚡ in service-to-service communication