I tried to do OAuth token exchange with Authentik. Here is the security tradeoff nobody mentions.

Authentik does not support RFC 8693 token exchange. The workaround works, but it shifts a security assumption most people never notice. Here is what I found and how it compares to Keycloak.