I'd probably rather use something a bit more broadly adopted, like OAuth2 + OIDC.

The lazy me wants to use this for future projects to secure my apis, but the curious me wants to reimplement this type of project in go.

Were there any gotchas in implementing this type of identity access management system?

In my current project we're using FaunaDB which handles authorization for you. It really makes a lot of sense moving the permissions to the DB instead of having them in the logic layer.

I have built something sort of similar based using purely `auth_request` and nginx. Basically, ach nginx location (ingress rule in kubernetes)s the scopes it cares about, and the request gets sent to a small webapp which checks a JWT for those scopes, logs the user and access, etc...

The scopes look like github scopes, e.g. `read:resource`. So it’s more of a capabilities based system vs an RBAC one, but we have translated roles (via LDAP group membership) to capabilities to simplify things in some cases.

This is an underrated post at the moment.

Something like this is great to centralize management