[maskaler]

The best I've ever had it is using an API gateway that destructured a token into headers. Back end services used MTLS. This meant testing Auth was as simple as adding headers. No server needed to be up, no jwt nonsense needed to be mocked. I can't recommend enough keeping this nonsense at the boundaries.

[stingraycharles]

So if I understand it correctly, a service would respond with http headers that describe the claim necessary for the action? Which begs the question, how would that work with side effects.

Or would the acquired claim be communicated towards the service in the request? Which begs the question, how does the service communicate which claim is required.

Not trying to be critical by the way, genuinely curious.

[lozenge]

That sounds like authentication not authorization.