[keycloak-dev] Keycloak Impersonation feature | KEYCLOAK-4219

Ritesh Garg ritesh.garg at outlook.com
Mon Jan 23 09:30:44 EST 2017


Any thoughts on this?



From: Ritesh Garg <ritesh.garg at outlook.com>
Sent: Thursday, January 19, 2017 9:47 AM
To: keycloak-dev at lists.jboss.org
Subject: Keycloak Impersonation feature | KEYCLOAK-4219

Hello everyone,

As of now, Keycloak supports impersonation by an admin user at the front end application level. However, if someone is using JWT token based API security, there is no existing way to get a user's JWT token "on behalf" of the user by admin u.

I understand and agree with Stian Thorgersen that this is not just adding the return of a JWT token to the current impersonation endpoint. But I believe if keycloak supports impersonation; we should support that for API security as well and not just front-end applications.

If we decide to incorporate it; one implementation approach can be to introduce an impersonation grant type which would perform client and admin user authentication before granting a token on behalf of the user it is requested for. Please let me know if this sounds completely absurd to you guys.


Ritesh Garg

More information about the keycloak-dev mailing list