You should make your microservices talk to each other with an API endpoint in between (i.e instead of sending messages directly to each other, they first send the message to an API endpoint first, which in turn will deliver it to the other microservice). So, if microservice A wants to talk to microservice B, it should first make a request to an api end point, let's say /sendMessage. Now, /sendMessage will take care of all the authentication jazz and then call microservice B.
Well, i thought you might have considered service discovery or reverse-proxying the request somewhat beneficial; which don't apply when using a messagebus.
I think I'd prefer
I'm still not sure whether to pass along a JWT like structure with all consumer details or that each service requests consumer details (like permissions) to a dedicated consumer service. Based on performance it probably depends on how many requests the consumer service needs to handle vs the overhead of possibly sending around needlessly the JWT. And, if not using JWT internally, how do you authenticate the payload, so that a bug might not creep in the consumer details and be passed around wrongly.