...
User logs in to an application. Authentication request is sent to Azure AD as described earlier. An access token is returned.
A request is made to a URI “/doSomething” with this token.
The API Gateway authenticates the request. Since the token is a JWT bearer token, it contains a signature encrypted either RS256 (asymmetric) or HS256 (symmetric) algorithm. In the former case, in order to validate token’s signature the authentication logic may require a public key certificate, and issue an HTTP HTTPS GET request to a JWK Set resource URI, specified in the “x5u” field of the token, to obtain it.
The request is then passed on to the microservice (once any policies configured on the API Gateway are applied).
Microservice repeats the token validation (authentication) done by the API Gateway in step #3 above. The important part here is that the request to JWK Set URI will need to be proxied through the API Gateway as the microservice endpoint will typically not be exposed outside the cluster.
Upon successful authentication and authorization the microservice fulfills the request and sends back a response to the client. It can be a 200 (OK) or 202 (accepted), or any other HTTP standard response.
...