What is the pattern for Impersonation in Camunda 8

Hi there
I am wondering, what would be the right pattern to implement impersonation in Camunda 8?

With impersonation I mean that you can call a REST API later in the process with the user that started the process, even the token of the user is not valid anymore.

We use OAuth2 with Keycloak. In Camunda 7 we do this manually with Keycloak REST API and the grant type urn:ietf:params:oauth:grant-type:token-exchange.
For this we get the authenticatedUserId from Camunda.