I assume that's the other way round: first link for authZ (== access control), 2nd and 3rd for authN.
I am still struggling. Am I correct in thinking that the policies apply to the keys, i.e. access tokens, generated by Tyk only? We want an end-user to authenticate with a third party, e.g. AD issuing an OIDC ID token. How do I specify access restrictions based on identity claims, e.g. roles?