Authentication is (usually) not that complex, but identity and authorization are. I've seen plenty of institutional regret when each application has its own pool of users and an internal authZ system.
Authorization is one of these areas that has traditionally been viewed as too hard to extract from the application, but it's core to no one's business and in recent years lots of companies have started to use authorization products. I'd chalk this up to:
1) Better abstractions for disentangling authorization
2) Better technical literature on the subject [1][2]
3) Increasing comfort with third-party infra services (RDS, LaunchDarkly, etc.)
Note: I'm cofounder of an authorization-as-a-service company (Oso) [3]
