We currently create client session in case that access-token is requested from token-exchange and in case that client-session of the requester-client is not in the user session already. Ideal is, if we avoid creating client session for this case.

The client-session is currently needed for the case that exchanged token is sent to Introspection-endpoint or UserInfo-endpoint. Maybe also other endpoints (EG. account/admin REST and more?). Can we make those endpoints available even if client-session of requester-client won’t exists on the user session?

One possibility, which might help, is the issue #37118 . This can help to detect if access-token was created from token-exchange grant (Hence this issue should be probably follow-up to #37118 ).

Note: The AuthenticatedClientSessionModel object instance would be probably still needed (similarly like ClientSessionContext), but hopefully we can make it "transient" to avoid persisting it in the infinispan (Something similar like we did for OAuth2 client-credentials grant).