My solutions:

I used a API gateway + OAuth services to handle authentication. Client side gets a token from OAuth services and use that token to visit different microservices. The APIGateway will verify the token (valid, not expired or revoked) and get latest user information from user services (and cache). All other microservices behind APIGateway just uses the user information because all connections are valid after GateWay. For Authorization, it is role based and different services handle the permission verification instead of gateway because the services know the business logic instead of GateWay. Welcome to discuss…