I am trying to figure out how to perform lightweight access token exchange in Keycloak 26. So far I was able to make it work with regular access token with the following:

# get the access token
access_token_1=$(curl -Ss -X 'POST' "http://localhost:8000/auth/realms/master/protocol/openid-connect/token" -d "client_id=admin-cli&grant_type=password&username=admin&password=qwerty12345&scope=openid" | jq -r .access_token)

# exchange it for access token in another realm
access_token_2=$(curl -Ss -X 'POST' "http://localhost:8000/auth/realms/abc/protocol/openid-connect/token" -d "client_id=admin-cli&grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token=$access_token_1&audience=admin-cli" | jq -r .access_token)

When I switch admin-cli client to always use lightweight access token the procedure above fails on the second step with error subject_token validation failure. In the logs I can see Failed to verify identity token: Key not found message.

The reason why I want to use lightweight access token is that I have hundreads of realms in my setup and regular access token is way to big (over 60KB).

The ultimate goal here is to use access token from master realm to exchange it to token that belongs to another user in another realm (impersonation).