If my services communicate over Sync HTTP I would pass the JWT token to each service so each service an authenticate the request and ensure it is only providing data for the authenticated user.
However, if I change my communication mechanism to using async messaging (e.g. RabbitMQ), how would I now authenticate the event to the scope of the user who initiated the event. Should the same JWT be passed as part of the event message. I see an issue with this mechanism, in that the JWT may have expired by time the service processes the message which means the message will not get processed.
Is this the general approach and best practice, or should some sort of trusted policy be created and passed as a alias to the original JWT stating what that user could do and had access to, or is there a different approach?
Once the user invokes the first microservice you should trust the communication among your services, so you dont need a jwt or standard token. You can pass in the event some sort of identification of the original user or its scopes to ensure that the reciever service filter the information accordingly.
This identification can be even a jwt token without expiration because it will be a token that only is used internally among your services so there is no risk that a malicious user tamper it.