one of the typical scenarios for using token exchange functionalities from IdP is described here : https://security.stackexchange.com/questions/188543/token-exchange-at-a-rest-api-gateway-to-federate-authentication-while-maintainin

So for example it might entail a change of token for change of audience reasons or for not exposing publicly internal RBAC on the backend.

This functionality is now available as TP on RHSSO which means that an API Gateway might be used in the future to make this exchange by calling the relative REST endpoint and forward the modified request to the backend.

https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/html/securing_applications_and_services_guide/token-exchange