Modern applications are multi-client/platform distributed applications powered by (micro) services. Once you have solved the identity problem, you will inevitably deal with the question “what is the user allowed to do?”. It is very tempting to blur the lines between identity, authorization and business logic – but this will lead to problems down the line. As part of our work for PolicyServer (https://policyserver.io) we have developed a reference architecture that brings together OpenID Connect, OAuth 2.0, tokens and claims in a healthy way that allows for future growth and separation of concerns. Come and learn how!