How to request impersonated tokens for testing inbox application


I am new to Keycloak and have a problem with the following scenario (above the dashed line):

We are developing workflow applications (frontend written in Angular, backend written in Java / Spring Boot). These workflow applications create user tasks. The tasks will be listed in the inbox, depending on the user that is logged in (only the own tasks are visible). When I open the inbox application and login, I got a keycloak token. So my application knows, it’s me. I can open the tasks for application 1 or two and I don’t need to log in again.

For developing an testing it is necessary to log in as someone else. I know there is a chance impersonating, but I don’t know how to realize it.

I think the “best way” will be the scenario below the dashed line (in the picture above)

I enter the username at the inbox frontend and send the name to the inbox backend. The backend is running with an in confidential client and requests a impersonated token. This token will be send to the inbox frontend and then to the frontends to applications 1 and 2 (when the tasks will be openen).

  • Is this the right way?
  • Does someone have sample applications for the scenario I need?

I hope someone can help me.

Best regards,