Description
Currently the external-internal token exchange always creates new user session https://github.com/keycloak/keycloak/blob/26.0.7/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L558 . In case that requested_token_type is access token, the creation of new user session is possibly not needed. If we can avoid creating of user session, we can ommit sid (and session_state) claim from the access token.
It is similar case to service account login (OAuth2 client credentials grant), which also does not create user session. We can doublecheck if creation of the session is not needed and also doublecheck endpoints like userInfo endpoint, introspection endpoint or revocation endpoint works as expected when the exchanged access token is sent to them. It should be probably fine as service-account is already using endpoints without session_state claim, but it is to be doublechecked.