I want to disagree with both of you - the sweet spot is often 3rd-party authN, 1st-party authZ:

* don’t try to implement the hard/annoying bits (strange access detection, account recovery, sending emails, password storage)

* keep ownership of your user list and users’ capabilities