We are trying to update our web application stack to leverage ServiceStack auth throughout. Our MVC web app currently has its own user authentication (regrettably still using Membership) and then authenticates calls against our restricted back-end Servicestack microservices using server-server tokens (generated using IdentityServer 4). In addition to calls from the web application, these microservices receive calls from batch processes (Windows Services), which also perform a server-server auth. The microservices are not network isolated and thus the server-server auth ensures that only authorized clients are able to make API calls.
We are trying to simplify and standardize our architecture and use ServiceStack user auth on the front-end and then pass the authenticated session down through the ServiceInterface layer into our back-end microservices using JWT tokens. In addition to simplification, we are seeking to have the user session context available in the microservices layer for business logic (we do this using our own mechanism now). The new approach is working great in prototyping, but it now makes the back-end services accessible to any authenticated user.
Is there a recommended/standard approach for using JWT to pass user sessions across microservice boundaries, while simultaneously restricting access to back-end microservices to only internal authorized clients (other than physical network restriction)? Is this a violation of the basic JWT principles? I assume the Windows Services would authenticate using a standard mechanism (credentials, API Key, etc.) and use the resulting JWT tokens to make calls. If there are any recommendations for best practices here that would be helpful too. Thanks in advance for any suggestions!