Suppose we have a client application accessing a resource server (service A) with access token.
Service A validates the token against Hydra via introspection api and get the information about the authenticated user.
Suppose service A doesn’t have all the information it needs to respond to the client, it then need to call service B to get additional data.
Service A would call B’s api with the user’s access token but then service B will need to check Hydra as well. This is obviously a waste…
I know Oathkeeper aims to solve this issue as being the gateway to the internal system and translate the opaque access token to a readble/verifyiable jwt that inner services can consume.
But assuming we are not ready to integrate with Oathkeeper yet (will require considerable amount of work) is there a nice way to solve this ?
We could possibly ask the client to additionally pass the id token, but I think we will still have to verify the access token additionally.