I've never understood why x.509 authorisation certificates aren't more widely used for this. They're off-line, self sufficiently asserted in the connection context, stacking, are unopinionated about application semantics in terms of authorisation rules/grants/restrictions, have well tested infrastructure for parsing and validation, and can use ocsp stapling for validity, and ct logs for audit. They're used in CERN VOMS, etc. and seem like a great fit for distributed systems doing authorisation but they don't seem widely known or used.
Because it's not so easy to setup and manage? Maybe it will become more popular with tools like https://github.com/gravitational/teleport