A system like this, at least the parts that are not public needs to be put behind an authenticating proxy, in the style of Google's BeyondCorp system. That way, there's a very hardened authentication gateway that all the other various implementations can sit behind. The auth implementations of the individual components doesn't multiply your exposure. With CORS implemented, it could be pretty decent out of the box ....
