Authorizing microservices can be very simple or very complicated. In the simplest case, if a calling microservice is authenticated, then it is authorized to perform any operation. However, sometimes, this is not enough and you need very sophisticated and fine-grained authorization, depending on other request parameters. For example, in a company I used to work at, I developed an authorization scheme for a sensor network with both spatial and temporal dimensions. Users could query the data, but they might be limited to certain cities, buildings, floors, or rooms.

If they requested data from a location they were not authorized to query, their request was rejected. They were also limited by time range and couldn't query ...