Hi @dar88rm,
You wrote “calling a Rest API from a Service Task”. I assume you are trying to call a 3rd party ReST API secured by Keycloak from a Service Task.
IMHO you shouldn’t use user tokens as a means of trust between engine and 3rd party ReST API. The few downsides are: (1) tokens may expire at the moment you make the api call, (2) if stored in process instance, they are readable in cleartext.
Instead, I would setup a more direct trust between engine and API, e.g. create a client for engine in Keycloak, and use that to make calls from engine to API with engine credentials. To keep track of the user at API side, just convey that as extra context info in API calls.