Problem
A healthcare platform spread across ~28 microservices accumulates the usual debts: duplicated utility code per service, an identity layer that grew faster than it was designed for, and infrastructure changes that block on tribal knowledge. The kind of friction that doesn't show up in any single PR — it shows up in every PR.
Approach
Ship breaking changes as coordinated, versioned migrations — not quiet patches. Move shared functionality into versioned NuGet packages (api-core, service-core, core-security) so every service consumes the same primitives. Treat identity as a product, not glue: migrate from the legacy provider to Keycloak with OIDC-native claims, and version the security library as a real semver release (v2.0.0) so consumers adopt at their own pace.
Result
Cleaner service boundaries, less per-service ceremony, and a security library that no longer requires reading every consumer's code to make a change. The team can now evolve identity behavior — claim shapes, authorization gates, token validation — without spelunking through every microservice that touches auth.
