[keycloak-dev] Keycloak Impersonation feature | KEYCLOAK-4219

Ritesh Garg ritesh.garg at outlook.com
Thu Jan 19 09:47:15 EST 2017

Hello everyone,

As of now, Keycloak supports impersonation by an admin user at the front end application level. However, if someone is using JWT token based API security, there is no existing way to get a user's JWT token "on behalf" of the user by admin u.

I understand and agree with Stian Thorgersen that this is not just adding the return of a JWT token to the current impersonation endpoint. But I believe if keycloak supports impersonation; we should support that for API security as well and not just front-end applications.

If we decide to incorporate it; one implementation approach can be to introduce an impersonation grant type which would perform client and admin user authentication before granting a token on behalf of the user it is requested for. Please let me know if this sounds completely absurd to you guys.


Ritesh Garg

More information about the keycloak-dev mailing list