Advice on how to integrate with authentication plugin

I am faced with an integration problem of a legacy system (LDAP) that uses an ActiveX authentication plugin (u/p, card, biometrics) which we want to place behind Keycloak for SSO. Since I cannot use this plugin as an identity provider I am wondering about the options I have.

The plugin will provide a token which can be verified with the external system. My idea was to somehow completely skip/replace the authentication part in Keycloak and provide a token exchange mechanism: once you login with the plugin use the external token and exchange it with Keycloak token. Of course the problem is also that Keycloak supports only exchange of OIDC tokens, but I presume this could be extended.

A couple of questions arise:

  1. Would this be a correct way to tackle this problem?
  2. Can Keycloak authentication be completely eliminated to allow authentication only with eternal token exchange?
  3. Is implementing custom token exchange feasible?
  4. Am I missing something, like potential security vulnerabilities?