The trick is to have your gateway handle authn, and then proxy authz data upstream so those services can decide how to handle it without needing to make a second call to the identity service.

You probably want to have a UI for account creation and password resets, right? There's a frontend that has to talk directly to identity service.

You may want to bill based on # of active users - well that's interactive with the identity service (you can do this without billing calling the identity services' API, but the alternatives are just other common dependencies.

You may want a tool for the support team to search identity service to find a user or their account status.

If you have a sharing feature, you may want that to verify you are sharing with an account that exists.