Service token session data

I have two issues that perhaps can be solved with one stone.

Our application consists of many microservices. Users have varying set of permissions to access resources. Some resource calls may result in calls to other resources on other microservices, which may be protected by a scope, that a current user does not have. We then use an internal service token to make that request on behalf of the user.

Second use case is that we have users (not registered) that need to access our application. Since keycloak does not provide magic link out of the box, we went with custom access keys implemented not using keycloak that accesses an external api, and then we use our internal service token to make required external to internal api requests.

Both of these use cases share the same problem, the request receiver, made by the service token does not know who made the request (on behalf of who the request is being made).

We could send such data in header, but this would be a management headache as this data would have to be sent by microservices multiple times in the same flow.
Easiest would be to have this data put in a token session data and accessed from access_token, if this is even possible. Could write some custom code to achieve this, but would rather avoid, as this also becomes maintenance load and would like to avoid building anything custom on top of keycloak.

Is there anything out of the box from keycloak, that we could use to resolve our problem?