[EOEPCA/IAM] Evaluate Token Exchange (RFC8693)

[w-scho]

The Keycloak community is currently working on making Token Exchange (RFC8693) a fully supported and stable feature (see keycloak/keycloak#31546). This is currently associated with the Keycloak 26.2.0 milestone, which is due by 2025-03-31. So there is a good chance that it will be available soon enough to be leveraged by EOEPCA.
Token Exchange addresses typical delegation and impersonation use cases and may thus fit well for our delegated access scenarios.

This ticket aims at evaluating the applicability of Token Exchange for EOEPCA use cases and its interoperability with other techniques. This should probably be evaluated when Token Exchange is officially available and reasonably stable in Keycloak.

Details to be evaluated include:

• Interoperabiliy with offline tokens
• Possibility to exchange a short-living for a long-living access token or for an access token accompanied by a refresh token
  Currently Keycloak's token exchange always returns a refresh token, but see Review and document how refresh tokens are issued when executing token exchanges keycloak/keycloak#23144

Note that some features that would be quite interesting for EOEPCA are covered by optional tickets and may not make it into Keycloak 26.2. These include:

• Improve control over audience and scope for token-exchange keycloak/keycloak#31553
  This is one of the core functionalities we could benefit from.
• Requested (additional) scopes get lost in token exchange since Kecyloak 24 keycloak/keycloak#29614
  This primarily aims at requesting an offline token via token exchange, which maybe could eliminate our remaining issues with long-living tokens.