API gateway CAN handle authentication BUT...

What happens with an internal redirect? It bypasses all security at the API Gateway!!

Furthermore, all RBAC rules in the Gateway have to be duplicated in the Application (there is no synchronization) and the API Gateway cache does not handle RBAC so you will get escalation of privileges.

https://medium.com/@apiexpert/why-api-gateways-are-dead-7c9e324ff70a