In my opinion, you’ll need to analyze your current system’s architecture, business rules, and integration requirements before choosing a specific communication pattern. Without understanding what responsibilities the legacy system must delegate to the new identity service, it's impossible to recommend REST, gRPC, or message queues.

Each option depends on concrete details:

1. What exactly needs to be moved out of the monolith?

2. Which operations are synchronous (e.g., login, token issuance) vs. asynchronous (e.g., KYC updates)?

The right solution isn't universal it must follow your business workflows and technical constraints.