Question
Design service-to-service authentication and on-behalf-of delegation for a microservice mesh of ~2,000 services, where a user-facing request fans out through many services and each downstream call must (a) prove the caller's service identity and (b) carry the original user's identity and scopes so a deep service can authorize on the user's behalf — without any service being able to forge a more powerful token than it was handed. Throughput: millions of internal calls/sec. Walk through how service identity and user context propagate, how downstream services validate without a central bottleneck, and how you prevent privilege escalation across hops.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.