Microservices authorization where it should take place?

I have discussions at work for authorization, and we have different opinions about what it should look like. I would like to ask StackOverflow community which approach is correct because I can't find myself.

We're creating a new project. We will use:

  • kong as a proxy
  • keycloak as an identity provider.

The user in the application will create the resource. Let's call it workspace. The workspace will contain a different resource, and the depression will go deeper. Example URL: /workspace/123/resource-A/321/resource-C

There are 2 approaches presented in my work:

  • at the beginning of the URL there will always be a workspace as prefix and then kong will use the LUA scripts to ask the workspace microservice whether the logged-in user has access into it and then redirect the request to the microservice. Each microservice will also start its URL from the workspace because we need a workspace ID to verify access to resource-A. They propose this approach because they want to limit the number of requests to microservice workspace from places other than kong. Example URL: /workspace/123/microservice-A/workspace/123/microservice-B

  • URL does not have dependencies from the workspace, kong will be responsible for the proxy and communications with kong, the microservice will directly ask the workspace microservice for access using a token that was provided by the proxy. Each microservice decides its own access. Url examples: /resource-A, /resource-B

The system will also have microservice not connected to the workspace, but there will be fewer of them.

Do you know any other approaches? Which of my approaches is the most correct?

Thanks for help