What is the recommended approach of authentication when calling one service from another service (both with end-points authenticated from Auth0)?
In a little more details. We have created a few services with REST end-points that uses Auth0 for authentication. An end-point is either called with a JWT bearer token when authenticated from our web app or with basic authentication when called by a third party. In the latter case the third party is given a client ID and secret and these are delivered in a basic authentication header and our app then authenticates against Auth0 to get a token (this is done as we don’t want our third parties to first get a token before calling). In some of our services we will need to call some of our other services. In this case we may forward the authentication header we just received. We can also decide to just let the service have its own client and obtain its own token. The former approach has the advantage that the information about the external caller will be available. In the latter approach we will know what service is calling, but will not have available information about the external caller, which shall probably in most cases be used for authorization. I hope there is a recommended approach for these scenarios.