Hi there,
I’m trying to implement a ‘Power-of-Attorney’ type feature, where a user is approved to act as another user, by impersonating them.
I know Keycloak has Client-level impersonation, where the use-case there is for an Admin/Support to log in as a user.
So I’m wondering if this is possible to do at the User level - where a specific user can log in as another user, and receive a JWT for them. Maybe they firstly need to be authenticated as themselves to then perform the token exchange, probably?
Also, the users are using OpenId authorization code flow to log in, thus the token is not sent to the user so they can’t do the token exchange, so even if I could enable this, I’m not seeing how this is possible, unless there is effectively 2 authentications, one is normal, the second does the token exchange?
Has anything like this been done before, and how would I implement, if anyone has any ideas?
Is this something that can be done out of the box with Keycloak, or would I have to implement a custom Service Provider Interface in Keycloak?
The IdP is custom built, so I actually can change its functionality. So I’m wondering if I could simply get it to issue the JWT for the other user in its /token endpoint, that Keycloak then consumes, and the user simply logs in, and is logged in as the other user - and the approval to do this is set in the IdP?
Thanks for any help on this!
Justin