Using a "policy service" with an OAuth2 resource server and UI Gateway
https://sdoxsee.github.io/blog/2020/0...
Managing application-specific authorization based on identity and permissions.
In this screencast we demonstrate the place for a “policy service” in this stack (Spring Webflux, R2DBC, Spring Cloud Gateway, React, Keycloak) to manage the identity permissions (or policies) specific to each application in the architecture rather than overloading the JWT, at the Identity Provider level, with irrelevant permissions.
For help, contact me
Twitter: @doxsees
or https://simplestep.ca