I am working on microservices application where the client application sends the access token to orders microservice with the POST call. When saving the order, the inventory micro-service should be called to update the inventory. The Inventory microservice updateIntentory method should also be protected.
In this use case, should I be propagate the same access token to the inventory microservice and restrict the api access to update inventory or should I make use of client-credentials grant flow to allow saveOrder method in the order microservice to invoke the updateInventory method in the inventory microservice.
Note: Both the order and inventory microservices are acting as resource servers.
What is the right approach.
Good question:
BOUNDARIES
If you were calling an external API belonging to someone else you would definitely use client credentials to get a token that entitles you to call that API.
MICROSERVICES
If the data owner is the same then most commonly you can simply forward the access token. This is how OAuth is meant to work: a scalable architecture that only requires simple code:
The Scope Best Practices article explains this for a real world system.
TRUST BOUNDARIES AND HIGHER PRIVILEGES
It is common to get a fresh token for high security operations, such as redirecting the user with a payment scope, or using token exchange before calling a less trusted API. This should be the exception rather than the rule though.