SSPR vs Account

I recently realized I did a confusing thing. I have two services that are separate instances of the same app that do similar but different things, and so I wanted to write up something on why I did it like this. The tl/dr is that it makes it easier on me to implement the functions I wanted. The longer explanation is what those functions are.

Since one is already logged in with Authelia, I wanted there to be a password site that would work with the SSO. I also wanted to be able to allow y'all to deal with forgotten passwords on your own because I know I love me a good self-checkout as much as the next introvert. Problem is, the password reset feature couldn't be behind Authelia, because Authelia needs a login, see? So, I made two separate instances of the password manager app with very different configurations. The SSPR site needed to be accessible outside the SSO, and the Account site needed to only work with the SSO, which I will call the Eyeballs Venn-Diagram for functionality. The account site also has the join site in it, which doesn't make sense to have on a site that can't be reached without a login. Now, PWM does offer a lot of granularity, and if it wasn't for the SSO requirement I could get away with a single instance, but alas. Both apps interface with Active Directory for all user account info, so they're modifying the same auth servers.