I've made myself used to using external service for AuthN, but still on the fence whether I want or need the complexity of external AuthZ. (though my architecture is still evolving around a single core monolith system despite having a dozen satellite micro and not so micro services)

My main grief with external AuthZ is that they are engineered to be too generic and unconcerned with the space and resource consumption.

Have you considered one of the open source solutions 'inspired by Google's Zanzibar paper' as an extension to your Option 3?

Expand full comment