Calling internal API services from public API service with user context

Hi

We are having a microservice based architecture for our application which has a single frontend. This frontend will always talk to a single backend service, which provides a public API. So, the frontend and the backend are secured by setting the audience while generating the token.

But, most of the time, this central backend would call other internal services that are also secured. I would like this call to happen on behalf of a user (generally the user will somehow initiate this internal call) and this internal call can also be async. This is because I want to set the user context in my internal services to match the incoming security context. So, I don’t think a M2M auth flow is going to work. I think I can pass a user id while doing a M2M auth flow but I would like to avoid this unless absolutely necessary.

Is something like this possible? If not, I can look into manually setting the user context by sending the user id in a M2M flow but are there any issues to such an implementation?

Any insights are greatly appreciated!