In the context of the OWIN Framework authorization is the business of knowing what is allowed within the context of the current request. Almost all authorization middleware will have a dependency on identification middleware because you can't determine what should be permitted unless you know the identity of the entity that made the request.

Authorization middleware will typically have identities assigned to roles where roles belong to multiple groups and each group grants or denies specific permissions. Although this is the most typical design, the OWIN Framework does not impose any particular design on the authorization middleware, it just needs to be able to test if the identity making the request has a specific permission or not.

Authorization systems will need some way to configure who has which roles and what permissions that grants. This could be a separate tool, or the authorization middleware can include a UI to manage this. None of this is part of the OWIN Framework standardization, the middleware developer is free to make all implementation choices.