Thank you for updating your post.   Much better.

I will now step aside and listen to the subsequent answers with great interest, as I am dealing with vaguely-similar issues right now, too.

(And, P.S. ... how about actually logging in before replying, folks ... and maybe being a wee bit less cryptic in those replies?   AtDhVaAnNkCsE ... == “thanks in advance.” )

One thing that I am curious about, and truly do not myself know the answer to, is:   “does it actually work to provide only an ‘authorization’ handler, in the absence of the other two?”   Particularly in the absence of an “authentication” handler?   (i.e. “if you do not know who I am, how do you know that I am authenticated to do anything?”)   Does this “authorization” handler as-presented by the OP do an appropriate thing, or too much or too little?   Does it need to be more-than-one handler?

I am an interested-party along with the OP ... not in a position to answer the question, but also-interested in what the answer is.