That makes sense. Having a central authorization has it’s own complexities. Managing it at the microservice level is definitely a simpler and more straight forward approach. For us, the reason why we chose a central authorization is because we want to be able to create new permissions and map them to endpoints directly via a UI. This is especially important since we have different apps that might be accessing the same endpoints and different permissions will need access to those endpoints.
We are currently planning on removing permissions from our jwt claims though because the number of permission some users have is becoming quite large since they use these permissions to access over 5 apps.
My only worry with having each service implement their own authorization is duplication of authorization logic across services.
Another approach we could have taken was to handle authorization at the api gateway level without calling a different authorization service.