Participants will build a complete identity-aware access control system using Keycloak (OIDC identity provider), Envoy Proxy, and containerized backend services. Through hands-on exercises, attendees will experience firsthand why "Alice accessing Bob's resources" should return a 403 Forbidden response, even when both users are authenticated with valid credentials.

Part 1: Identity with OAuth2/OIDC (30 min)
* OAuth2 vs OIDC: Authorization vs Authentication
* JWT token structure (Header, Payload, Signature)

Part 2: Building the Reverse Proxy (30 min)
* Envoy's filter chain architecture
* JWT authentication filter configuration
* RBAC authorization filter with identity-based policies

Part 3: Audit Logging and Considerations (15 min)
* Dynamic metadata for identity-aware logging
* Analyzing access patterns for security incidents
* TLS termination, rate limiting, and hardening