Is the authorization server typically only used for authenticated requests, or also for unauthenticated (guest) requests?
Sam Lock (Cerbos)
08/02/2023, 4:30 PM
The general pattern we'd expect is for user/principal information to be gathered from the authentication/identity provider and used in subsequent requests to the PDP (most commonly, roles that the user can assume). That said, there's nothing saying that you couldn't implement (say) a default role and pass that in each request.