Is it OK to pass on OAuth Access Token between services?

Question

Considering the following scenario in a context of the SSO/OAuth/microservices:

1. User successfully logs-in to the web application using OAuth's Implicit Flow.
2. Web app requests some data from Service A and Service B passing on user's Access Token to authorize both requests.
3. Service A also calls Service B (passing on the same Access Token!) in order to build response to the initial Web App request.

Now, is this OK to pass on the user's Access Token from Service A to Service B?

Or should Service A use "Client Credentials" grant to obtain its own Access Token to authorize call to the Service B?

UPDATE:
Please assume both services are owned by the same organization and both trust the same Authorization Server. Also both services are behind the same API Gateway which validates Access Tokens.

Answer 1

It depends on who is controlling the web application, Service A and Service B. If they're all run by the same party there's no problem in passing the token on since it stays within the same security domain.

But if e.g. Service B is run by a 3rd party then things become problematic as the administrator of Service B can pickup the access token and call Service A as if it were your web application, potentially getting access to resources that it should not have access to.

You'll also note that if Service A and Service B are owned by 2 different parties, other than you, your web application should also obtain two different access tokens respectively for calling Service A and Service B to prevent the same security issue.

So the answer really is: it depends on who is controlling what i.e. if the token is crossing an administrative/security domain.