Let's say I have an Authorisation-Service and I need to support multiple user roles.
And let's say I want to restrict access to different routes from XY-Service based on the user roles. I can think only of two options:
1) Send a request to the Authorisation-Service, which will decide if I'm authorised or not. This is clearly not efficient, as I have to communicate with the Authorisation Service multiple times.
2) Use JWT, get the user role and decide in XY-Service if the user is authorised or not to access that resource/route. This is more efficient, but introduces authorisation logic in a microservice, that shouldn't deal with this kind of logic.
the use of JWT is a widely spread practice and does not violate the principle of unique responsibility because the principle of unique responsibility refers to non-technical "functional" responsibility (bussiness logic), your microservice functionally does one thing and technically many: logging, security, tracing... Currently there is a strong tendency to move all those technical features out of the business development itself by using envoy/istio