Centralized Identity

In a monolith, you have one cookie. In microservices, every service needs to know who you are. We use OpenID Connect (OIDC) and OAuth2 to create a central "Identity Provider" (STS) that issues **JWT Tokens**. This is the standard for secure, distributed authentication.

1. IdentityServer4 / Duende

This is the gold standard for .NET. It handles the login screen, token issuance, and "Refresh Tokens." Your other microservices just need to validate the **Signature** of the JWT token—they don't need to touch the User database themselves.

2. Token Propagation

When Service A calls Service B, it must "Propagate" the user's token in the Authorization header. This ensures that Service B knows exactly which user is making the request, allowing for granular permissions even deep inside the network.

4. Interview Mastery

Q: "What is the difference between Authentication (AuthN) and Authorization (AuthZ)?"

Architect Answer: "Authentication is **Identity** (Who are you?). This is handled by OpenID Connect. Authorization is **Permission** (What are you allowed to do?). This is handled by OAuth2 Scopes and Roles. For example: OIDC tells the app 'You are Sandeep'; OAuth2 tells the app 'Sandeep is allowed to [Read:Orders] but NOT [Delete:Orders]'."