- What is the best approach to creating an account for John in my User service ?
There is not much to do here, just get the user details from FB and call your user create endpoint. For a RESTful API you will probably want to do a POST to https://your_api_gateway/users
- Once logged in as John, how does the WebApp propagate the identity of John to the Order service ?
One option is to use a token microservice. At login time you would create a long-lived auth token and a short-lived access token. The auth token is the source of trust that you never share. You return the access token to the client webapp. All calls from the client to any of your microservices will send that access token as part of the request. Another option is to simply use the access token generated by FB/Google.
- How does the Order service validate that John is logged in ?
Your Order service would receive an access-token in the request. As long as the access-token is valid, you can assume that John is logged in.
- How can interdependent services Order & User trust each other ?
The access token is signed by the token microservice - which should be a trusted service - and it can contain additional information that can be further verified by any of your microservices
- Downstream services will become very "chatty" with the Authorisation Server (Facebook, Google)
Once you generate the access token, you don't need to call FB or Google again until your webapp decides that the user needs to be authenticated again.