To understand microservice security, let's step back and recall how we used to secure .NET monolithic applications. This will help us better grasp why a microservice's authentication and authorization mechanism needs to be different.
The critical mechanism to secure applications has always been authentication and authorization. Authentication verifies the identity of a user. Authorization manages what a user can or cannot access, which is nothing but permissions. And encryption, well, that's the mechanism that helps you protect data as it passes between the client and server. We're not going to discuss a lot about encryption, though. Just ensure the data that goes over the wire is encrypted everywhere. This is very well achieved through the use of the HTTPS protocol.
The following diagram depicts the flow of a typical authentication and authorization...