In my previous blog post on REST security I talk about how one could do identity propagation. That post generated some comments around how one could do federation for REST services.
The short answer is it depends on the type of client:
a) For non-browser type of clients - you can leverage an STS for doing federation for REST similar to SOAP services.
b) For browser type of clients - you could leverage Web Federation models.
STS based REST federation:
In this model however you will need to create a SOAP RST/RSTR to talk to an STS. There are some recent standards where you can talk to Security services that provide equivalent functionality as STS via REST binding instead of SOAP binding (Open ID Connect, etc). [Note: These are currently not supported by Oracle.]