This is a very complicated question actually, with many different ways of solving it.
We can’t really answer without a lot more details, and even then, it is complicated.
It depends on the security context and requirements.
I’m trying to call an backend service for another backend service(M2M) by passing user information. The Service which received the request has to know who is the user just like when my React APP is sending a request to the Service.
My React app is using the token obtained after user login, to call the API service .
Is it possible to get the refresh token and access token when user logging in using my React App. So that I can send these accessToken and refreshToken to my API Service for persisting and the use the persisted token to call another API service.
Thanks for the additional details. The problem here is the security context: I don’t know anything about the services and what security is required. This depends on a lot of factors.
This is complex enough I’d recommend a Professional Services engagement with Auth0. This requires a careful analysis of the situation first, then design of a solution that meets the security requirements. It is not something that can be done in a forum.
can’t apiservice1 send the user object to apiservice2 and vice versa? communication between your microservices should not depend on the authenticated user.
usually communication between microservices are encrypted by tls client certificate, or some mTLS design, which provide strong assurances of the calling microservice’s identity.