Extracting Authentication to a Microservice

The Problem Authentication isn't a feature you bolt on - it's foundational infrastructure that deserves its own service boundary. I recently architected and built a dedicated authentication and authorisation service, extracting it from a monolithic application where auth logic was tangled with business logic. Other services and applications now consume this auth service, creating a centralised identity provider that serves multiple consumers. This is the story of the patterns I used, the trade-offs I made, and why I started with authentication as the foundation and am fanning out to related concerns (user profiles, preferences, permissions) as needed. Why Extract Authentication? Separation of Concerns Authentication is cross-cutting. Multiple applications needed it - the original monolith, new microservices, mobile apps, third-party integrations. Rather than duplicating auth logic across services, we extracted it into a dedicated identity provider. This service handles only authenticat