In a monolith, you have one cookie. In microservices, every service needs to know who you are. We use OpenID Connect (OIDC) and OAuth2 to create a central "Identity Provider" (STS) that issues **JWT Tokens**. This is the standard for secure, distributed authentication.
This is the gold standard for .NET. It handles the login screen, token issuance, and "Refresh Tokens." Your other microservices just need to validate the **Signature** of the JWT token—they don't need to touch the User database themselves.
When Service A calls Service B, it must "Propagate" the user's token in the Authorization header. This ensures that Service B knows exactly which user is making the request, allowing for granular permissions even deep inside the network.
Q: "What is the difference between Authentication (AuthN) and Authorization (AuthZ)?"
Architect Answer: "Authentication is **Identity** (Who are you?). This is handled by OpenID Connect. Authorization is **Permission** (What are you allowed to do?). This is handled by OAuth2 Scopes and Roles. For example: OIDC tells the app 'You are Sandeep'; OAuth2 tells the app 'Sandeep is allowed to [Read:Orders] but NOT [Delete:Orders]'."