[hiimcharlies]

> API Gateway intercepts the request from the web app, extracts out the access_token, talks to the Token Exchange endpoint (or the STS), which will validate the access_token and then issues a JWT (signed by it) to the API Gateway.

What is "it" in this quote? Will JWT be signed by API Gateway?

Otherwise.. a great article! Made my understanding of security princinples in architecture like that MUCH clearer

[prabaths]

It should be signed by the STS - which is trusted by all the downstream microservices. The STS, who validates the access_token, in the response can send back this signed JWT to the gateway. The STS of the access_token and this JWT can be the same or two different ones, based on the use case...

[hiimcharlies]

Thank you! I'll ask some more questions tommorow after I sleep on it if you don't mind.