#sknebelaaronpk: to expand on the earlier comment: in both cases, to me the main complexity right now seems to be about a) the clients and b) managing the existing permissions and tokens, and I'm not sure either approach makes a big difference there once you get into renewal, revocation, ...