Impersonation of external token

Hi, I setup environment for testing impersonation based on this content form official documents (Securing Applications and Services Guide).

Everything works as expected except for external tokens! Based on this sentence from url above:” 7.4. Impersonation

For internal and external token exchanges, the client can request on behalf of a user to impersonate a different user.”

I assume that either there’s a bug or lack of configuration.

I have two realms(internal and external).
External is IdP(oidc) of internal one.
In internal realm there is oidc client for idp brokering(token exchange works from external realm) a proper token-exchange permission on IdP is created. Also i created for internal oidc client proper permissions for impersonation, and they also works. but i do not use naked impersonation, i used internal token for testing impersonation.

What i found out is if i tried impersonation of external realm token(the same example of request from documentation, it seems that only token-exchange exchange happens but not impersonation.

Is this is the correct behavior? Or do i need to do two requests? First token-exchange to obtain internal token and then second request to impersonate requested user with internal token( previously exchanged from external token)…

p.s. there is no error whatsoever in logs during impersonation of external token.

Kind Regards,