We have been investigating proper mechanism to secure microservises that we are going to provide as API endpoints via API manager application.
Fundamentally we need stateless security mechanism like JWT to secure each API endpoint.
We thought to have separate service called "Auth service" to issue tokens and validate them.
We came up with following approach
But it seems every request must go trough Auth Server and then it will become very busy place.Are there any standard mechanism to overcome this situation.We heard about providing separate access token to client instead of original Auth token but have issues with validating the access token from microservice level.Any solutions would be really appreciated.
Thanks in advance.