Each service has mechanism to decode JWT token addressed to it and after extracting roles contained within JWT decides what to do with the request. Basically - every service has it's authorisation mechanism.

I can be wrong but what i understand is that Jwt token have three parts in it, one is to hold user information so when you have roles set to users that role information will be in the token so that services can decide if they allow or deny the request.

In short, yes.. It provides user information (id, roles..) to the services behind gateway

At 24:40 "All the information needed to complete a particular request is sent along with JWT in the Authorization header"

My understanding: 1) JWT token self-contained and it's signed, when Resource Server receives it, it can verify the JWT token is valid, and no need to contact Authorization Server. 2) JWT token can contains claims for authorization purpose and not limited to UserInfo claim, so in a scenario where Authorization Server receives the JWT token (not in this video), it can make decision if the request should be granted or not. 3) Token Exchange in the video above, the main purpose I guess is for point 1), Resource Server gets what it needs, it can validate the token, and no need to validate it with Authorization Server - no additional call is needed. 4) API Gateway acts as the Authorization Client - such as OAuth2 Client. 5) Alternatively Authentication Server can generates a JWT token with UserInfo claim. The client can pass the token to Authorization Server for authorizing the request. In this case, there is no Token Exchange.

But how do you want to protect you microservices from unauthorized access ?

It's the IDP's responsability, I think

Why offload your infrastructure to the cloud? Wouldn't that be a security issue too.

@@kellyfj there's on prem or Colo vs cloud... Different levels of security for different things.. Login/auth you'd think would be high security..

Whether it is a 3rd party or not is completely up to you