How to understand if a token has been released via token-exchange grant type

ecostanzi · April 6, 2023, 10:00am

I was able to implement some sort of impersonation flow using the token_exchange preview feature.

I’m inspecting the token of the impersonating user and the token of the impersonated user but I see that there are no claims that allow me to understand that the latter is the impersonated user.

Is there a way to customize the token of the impersonated user so that I understand that we are in a “impersonation context”?

stropia · April 7, 2023, 7:30pm

In the access token, you should have “auth_method” set to “impersonate”

ecostanzi · April 11, 2023, 12:55pm

@stropia I could not find “auth_metod” in the token. Is there any mapper that helps to do it?

I found a useful default mapper in the latest version of keycloak, it allows to insert the impersonator user id into the token.

Topic		Replies	Views
Implementing User-level Impersonation	0	69	March 26, 2024
Token exchange - retrieve id_token fails Getting advice authentication , oidc	2	1790	March 1, 2022
Direct Naked Impersonation flow Configuring the server authentication	2	978	May 10, 2022
Custom authenticator on token exchange Getting advice authentication	2	1395	September 6, 2020
External token exchange with custom flow Getting advice	5	1690	March 9, 2022

How to understand if a token has been released via token-exchange grant type

Related Topics