In microservices, you don't want every service to have its own 'Users' table and login logic. You need a Centralized Identity Provider (IdP) that every other service trusts.
The industry standard for .NET. It implements **OAuth2** and **OpenID Connect (OIDC)**. Instead of logging into the 'Order Service', the user logs into 'IdentityServer'. IdentityServer then gives them a cryptographically signed **JWT (JSON Web Token)** that they can show to any other microservice to prove who they are.
Single Sign-On (SSO) means the user logs in once and has access to all your services. For your engineers, it means they don't have to worry about password hashing, salting, or multi-factor authentication (MFA)—the IdP handles all the "Hard Security" once, and the services just verify the token.
Q: "How do you handle 'Logout' in a distributed system with JWTs?"
Architect Answer: "JWTs are stateless, so you can't technically 'De-auth' them until they expire. However, for high-security apps, we use a **Token Blacklist** in Redis. When a user logs out, we add their `jti` (token unique ID) to Redis. Every microservice checks Redis before processing a request. This gives us the ability to instantly revoke access while keeping the performance benefits of JWTs."