We have just started splitting our monolith into services. We are going to extract the authentication/authorization service out of the monolith first. Now we have a choice - API Gateway to provide authentication vs a standalone service (Like IdentityServer4 for example).
Our auth scenarios are pretty broad - web app, mobile apps, internal tools, Oauth1 that needs to be deprecated, some hand-written API authentication.
I'm leaning towards the separate service approach, because of pros:
- We can deploy/scale auth and gateway separately
- We can swap gateway for another one easier
- Auth server is open source and written in familiar language, easier for us to undestand - customizing it is likely to be easier
But the Cons I can see:
- More moving parts
- We will need to integrate Auth Server and Gateway that may be hard
I wonder what are other pros/cons of both approaches that I'm missing?
