Say I have a gateway which provides authorization mechanisms by validating a JWT, behind an api-gateway there are different micro-services but only the gateway port is public. As a software designer you decide to make all micro services unaware of authorization-related operations to remove code duplication and minimize the affected components when a security related change is needed. That is, all of the micro services would not contain any validation of the JWT.
How is it possible to prevent a horizontal privilege escalation when there’s a valid JWT but the attempted operation does not pertain to the current user? such as updating the user profile of a different person, keep in mind the api should not require to read the and compare the subject or issuer of a JWT to the user profile being updated, Is it even possible to achieve this?