so in our cases we have two microservices, one that handles first-class security via AuthZ, and a second that handles some less important aspects. We wouldn't want both of them to have to handle session management