I'm looking to completely decouple user management, login, permissions, and user data from my application. The main reason for this, is the application will consist of a WordPress site, native app, and a custom PHP API that all need to allow a user to login.
I don't want to use WP as the user login as I don't want to tie all our user data to WP in case we want to migrate to something else in the future. I've looked at things like Auth0, but it seems like it fairly heavy and costly. What I'd like to do instead is build a separate service that can be used to store user fields, meta data, permissions, and act as a login service.
Based on those credentials, I can give access to certain sections of WP, unlock content on the Native App, and authenticate for certain access level for our API. Has anyone had any experience with decoupling their user management with a similar scenario?
if you really want to decouple the user-management from your app, you can use specifications like oAuth2.0 or OpenID - they are two different specs, and you should have a look and see what fits you the best.
If you write your code in Java, you can use (for free) Spring Security together with authentication-flows - that will cover all security issues as well as all user management flows like registration, forgot password, change password etc.