This is more of an architecture question and not related to any specific technology. Let's say I have 2 rest microservices. A user has authority to service1, but not service2. However, service1 needs to access service2 for some side effect.
In my situation, service1 is actually public and you do not need a JWT to access it. Service2 requires an authenticated user.
One option I'm considering is that service2 allows calls from service1, but not from the user. That could be done with a generic JWT.
Does anyone have any suggestions? TIA!
In this case, service A should have permission to call service B, with a service user, and not with an end-user. If you are using oauth2.0, you should use client credentials. It is a grant type that is used to issue tokens to an authorized application using client id and client secret as credentials.
With this approach, service A will request a token to the OAuth server to access the endpoint of service B passing its client id and client secret and the OAuth server will give a token valid for service A to consume service B