Federated client-credentials grant flow?

I’m looking for best practice advice to approach this use case:

2 separate keycloak instances, 1 resource server protected by one of them.

“Keycloak-east” has a client “resources-east” (authorization services enabled, using UMA2). Resources, scopes, policies, permissions defined there.

“Keycloak-west” has a client/service-account “west-client”.

I want “west-client” to be able to access resources in keycloak-east.resources-east’s arsenal.

The challenge is that “west-client” does not exist in keycloak-east, so off the bat, it can only obtain tokens from keycloak-west.

For an end user, browser flow, it’s simply solved by adding a keycloak.west identity provider in keycloak.east. Allowing end users from Keycloak.west to be authenticated in west, but accepted/shadowed/mapped/granted local privileges in west.

But I can’t seem to find a standard way to do that with service accounts (“client credentials” flow). Looking in oauth2/openidconnect/keycloak docs to find the right flow so I don’t have to get crafty and unavoidably create something insecure.

any advice?

Found my answer with the token exchange functionality of Keycloak 10.0.1 (preview)

That, combined with the ability to use one of the Keycloak as a regular OIDC provider does the trick.