We already have Authentication Middleware that verifies an existing JWT and places the claims into the context of an HTTP Request. We need to extend that to process a policy using Casbin based on the contents of the jwt.

We have discussed making these two activities part of two separate net/http middleware functions. We have also discussed making it just one. If we combine Authentication and Authorization decisions into a single middleware, we may not need to make the claims available in the context at all. At the very least, that should be a middleware configuration option.