This is the second post in a two-part series about enforcing API authorization policies using Apigee, Okta and OPA. While the first post explained how to set up all three to work together, this post dives into detail on the policies that go along with the working code. The application we will be discussing is based on a hypothetical medical insurance provider Acme Health Care.

API gateways have become a standard component in modern application architectures. The gateway exposes application APIs to the Internet and serves as a logical place to enforce policy. This is a two-part series about enforcing API authorization policies in Apigee with Okta as the identity provider (IdP).

Cloud-native organizations embracing microservices are running into an unavoidable security question: how to handle microservice authorization controls? The central problem is this: unlike monolithic app structures, microservices architectures expose dozens more functionality through APIs, which can leave them vulnerable to attack.