How to authenticate a WebApp as JSON API Client

I have an access & id token from Vault OIDC authentication (i.e. the user accessing the WebApp is already authenticated with Vault). The WebApp now wants to make OpenAPI calls to an endpoint that is secured by Vault through bearer token.

I can create a token for the user in a terminal, but not from the WebApp.
How can the WebApp get a bearer token (for the already authenticated entity) that can then be used as a bearer token for API calls?