The answer depends a lot on the architecture being used, on whether one service is expected to call other services, and if that call will be on behalf of the user or not…
For example, a user may have a
mail:send scope in his JWT, and uses it to call an email service. The email service, in turn, calls a logging microservice. Three choices here would be:
- The logging service is not exposed directly to end users. The email microservice call to the logging service is treated as a trusted call, with no authentication required.
- The logging service takes the same JWT that the email service received to do authorization.
- The email service is modelled as a client of the logging service. The email service, with the client credentials grant, obtains its own token to call the logging service. The logging service does not care who the end user is, it sees the email service as its client.