Salesforce Integration with Spring Microservice

I am using JWT bearer token flow to get access token from salesforce and then call salesforce API using this access token. I Have already generated a private key and certificate with OpenSSL and have uploaded a digital cert on the salesforce connected app.

Use Case:

We are only using salesforce Database and not using its UI. Our services interact with the sales force and UI has no direct interaction with salesforce API's. Our internal service needs to call salesforce Api's preserving user context.

I have gone through many OAuth flows but the JWT bearer token flow looks most optimal to me. The flow goes like this:

  1. Get our own application token from azure ad
  2. Extract user email and create new JWT for salesforce and encrypt it using the private key
  3. Call salesforce oath endpoint with this JWT token
  4. In response, salesforce will return access_token
  5. Use this access token to further call salesforce API’s on behalf of the actual user or service User.

Now issues are: Is my understanding correct and is there any other more secure/optimal flow than JWT bearer token flow to solve this?Salesforce token is just created with user email, anyone who knows user email can generate token on his behalf if he got the access to private key.

Is it okay to use this flow? I mean from the security perspective? Can anyone pls clear this?

Salesforce is also registered as an enterprise app in Azure Ad. Can that be leveraged to grant access tokens instead of manually creating them?

I am using Azure AKS to host microservices. Where should I save the private.key file and allow spring boot app to read it?? The private key will be in hands of Devs and that might be a security breach