This article makes use of a pretty tight integration with Tyk, where the client will authorise against a third-party IDP (either via an open redirect through the gateway or a direct connection) but this intermediary actually generates a JWT and a token using the Tyk api, and the Tyk gateway then does header substitutions so the JWT doesn’t need to be sent but an api token.
TIB can donsomething similar, but you might need to modify it.