I’m considering a microservices approach for when the services commonly need to enforce data access controls as appropriate within each service. Is it a viable approach to:
a) Have all microservices authenticate to the AS and request an access token upon startup / token expiration;
b) Pass their token as JWT head in all service calls to peer microservices;
c) When handling a service call, validate the token signature only (rather than going back to the AS), and then evaluate the claims in the JWT as appropriate within each service.
Is this already a known and accepted pattern? Are there major flaws with it, particularly around ©? I like the idea because it seems simple yet performant and scalable … but then I’m not a security person :).