(API access, API security)::Internal service api auth question - can we add a long-term bearer(or another scheme) for access by internal services? What tokens should internal services use?

[itadapter]

Can service tokens have client IP restriction policy so if the token is stolen it can not be used outside of internal network.

We can also use OAuth STS, the question is- do we need such complexity for internal service access?

[itadapter]

We can use many approaches out of the box:

1. Can use regular OAuth via IAuthAspect (see http call aspects)
2. Can create a special token scheme which is restricted inside of the cluster only (for svcbasic)
3. Can disable account principals used for internal traffic to confine within cluster internal net work only