[keycloak-user] User Propagation (on behalf of flow) in REST/OIDC+OAuth2

[Raggy Fab]

Hi Keycloak users!

At my old company, when using SOAP, we were using Standards like WS-Trust
including a Security Token Service to authenticate SAML Token for our users
(incl. audience-uri-specific claims/role). We used the WS-Federation
Standard to let users authenticate and use WS-Trust to propagate the user's
saml token across multiple applications/webservice hops. (onBehalfOf Flow).
We did use SAML token issued from service accounts for backend2backend
communication.

Now my question is:
Which of these use cases are supported (out of the box or partly supported)
based on which protocol/flows in the keycloak REST/OIDC/OAuth2/JWT World? I
had trouble finding input specifically how to implement a onBehalfOf Flow
online. We also have a use case where an external provider sends us a jwt
token signed by his STS (which are valid users in our world we can map)
which we would like to "federate" (sign by our STS and translate his
claims) and was wondering what the best way would be to achieve such a
token "translation" and if there is a standard for that.

If you can point me to a specific flow which is supported by keycloak or
how to give me hints how achieve a similar use case (or let me know if
there is no standard for a certain use case) that would be awesome!

greetings
Raggy