[dwaite]

> It is surprising that nearly every solution out there aims to handle both authentication and authorization. We choose to strictly separate these and delegate identity to established third parties or our customers[0].

It is a trade-off. Both the authentication and authorization process are typically customized to business requirements, and splitting them apart gives more flexibility in customizing them.

However, the expectation is often that these are both represented to the user as part of the same cohesive experience. Independent implementations of authentication and authorization can make this more challenging.

There is also the expectation that an authentication product provide services like registration and account management. Account management often includes controlling any granted delegated authorizations, which mandates additional coupling between the two systems.