Token Exchange to delegate access to a subset of resources to a third party

we are planning to build an “invite” feature to grant 3rd party systems limited access to some of our resources. OAuth2 Token Exchange seems like a promising solution.

When I perform a token exchange still within the same client, KeyCloak responds with a new refresh and access token which include the claims of the subject_token (realm_access, resource_access, etc.).

How can I modify/reduce the scope, realm_access, resource_access etc. and add a custom claim with the ID of the resource to the new refresh and access token?

Kind Regards