For user requests only.
Situation: you have an API gateway (ex traefik) or service mesh (ex istio) that can intercept and redirect requests. You have some existing authz system you want to use, maybe the same as for your East-West traffic. You want to redirect requests without a valid session / jwt to login to a third party identity provider.
Options:
Situation: you have an API gateway that can intercept requests. You want to redirect requests without a valid session / jwt to login to a third party identity provider and enforce some policy on that request at the same time.
Options:
loginserver4, ORY Hydra, ...
The reverse proxy / identity aware proxy / thing that intercepts your requests.
traefik, envoy, ory oathkeeper, pomerium, ...