Machine to Machine communication on behalf of user

Hi, I do have this scenario.

I’ve API Service 1, API Service 2 and one Single Page Application(SPA) developed in React.

When user logged in, the SPA is able to call API Service 1 and as well as API Service 2 using the token obtained from user login on behalf of user.

But how do API Service 1 can call API Service 2 vice versa on behalf of user.

I’m able to achieve machine to machine to communication with authentication but how a micro service can call other micro service on behalf a user.

Hi @rkrishna

This is a very complicated question actually, with many different ways of solving it.
We can’t really answer without a lot more details, and even then, it is complicated.
It depends on the security context and requirements.


Hi @john.gateley Thanks for your response.

I’m trying to call an backend service for another backend service(M2M) by passing user information. The Service which received the request has to know who is the user just like when my React APP is sending a request to the Service.

My React app is using the token obtained after user login, to call the API service .

Is it possible to get the refresh token and access token when user logging in using my React App. So that I can send these accessToken and refreshToken to my API Service for persisting and the use the persisted token to call another API service.

Hi @rkrishna

Thanks for the additional details. The problem here is the security context: I don’t know anything about the services and what security is required. This depends on a lot of factors.

This is complex enough I’d recommend a Professional Services engagement with Auth0. This requires a careful analysis of the situation first, then design of a solution that meets the security requirements. It is not something that can be done in a forum.


can’t apiservice1 send the user object to apiservice2 and vice versa? communication between your microservices should not depend on the authenticated user.
usually communication between microservices are encrypted by tls client certificate, or some mTLS design, which provide strong assurances of the calling microservice’s identity.