Should microservices be responsible for handling their own authorization or you think it’s better to have a separate authorization service that is shared across all or a subset (within the same business domain) of microservices?
To me the latter makes more sense as it makes it easier to apply changes, enforce policies; it is DRY etc. However it can easily get out of hand by all sorts of services dumping their rules into one place, and also concerned about the network overhead.
Any thoughts?