Authorization in a microservice architecture often gets the least love; as a result it is usually half baked. Many people believe that once they implement OAuth, all their problems are solved; just pass around the access token between the microserices. In truth, OAuth is only half the solution: while OAuth is great for coarse grained authorization datam, it is ill-suited for policy based access control decisions. I’ll discuss the pain of our legacy “access control in code” approach that led to building a true Policy Server based on Open Policy Agent. This talk will open your eyes to a more complete understanding of authorization, and especially access control, in a microservice architecture.