One of the most widely held misconceptions is that authorization and authentication are the same, or something your identity provider does. It also doesn't help that certain authentication vendors blur the line by offering their versions of access controls. But, the reality is that authentication and authorization are two distinct processes with vastly different challenges and architectural needs.
Authentication is a solved problem. We have well-defined standards, protocols, and established vendors that offer off-the-shelf solutions. Authorization, on the other hand, is far from solved. There are no standard protocols or frameworks, so every app must build its own system. To make matters worse, authorization is a complex problem, one that requires a distributed systems architecture with real time access checks to get right. Read on for all the details.