We have an existing user authentication service based on casbin (https://github.com/casbin/casbin) which implements RBAC and holds fine grained user permissions. We are looking to expose this user authentication service as a webservice for other microservices in our organization to consume.
At the same time, we are also looking to upgrade our systems to use OIDC. The users will send HTTP requests with access tokens to the the microservice APIs which will validate the tokens with an authorization server.
Provided the user is authorized to access the API we will need to check the fine grained permissions. Should we authorize to the fine-grained user permission webservice using the access token provided by the user to the microservice, or should our microservices have their own set of client credentials to check the fine grained authorization service?