propagating access token between microservices

Question

I am working on microservices application where the client application sends the access token to orders microservice with the POST call. When saving the order, the inventory micro-service should be called to update the inventory. The Inventory microservice updateIntentory method should also be protected.

In this use case, should I be propagate the same access token to the inventory microservice and restrict the api access to update inventory or should I make use of client-credentials grant flow to allow saveOrder method in the order microservice to invoke the updateInventory method in the inventory microservice.

Note: Both the order and inventory microservices are acting as resource servers. What is the right approach.

Answer 1

Good question:

BOUNDARIES

If you were calling an external API belonging to someone else you would definitely use client credentials to get a token that entitles you to call that API.

MICROSERVICES

If the data owner is the same then most commonly you can simply forward the access token. This is how OAuth is meant to work: a scalable architecture that only requires simple code:

• Client gets an access token with scopes for multiple APIs
• Each API validates the JWT
• Each API verifies its own scopes
• Each API trusts the claims in the JWT and uses them for authorization

The Scope Best Practices article explains this for a real world system.

TRUST BOUNDARIES AND HIGHER PRIVILEGES

It is common to get a fresh token for high security operations, such as redirecting the user with a payment scope, or using token exchange before calling a less trusted API. This should be the exception rather than the rule though.