How to implement the impersonate feature from OAuth 2.0?

[johannchopin-buyco]

Hello team 👋 First of all, thanks for the work put in this library 🙏

In keycloak, there is a handy feature that allow you to impersonate another user using the OAuth 2.0 Token Exchange protocol.

it's implementation is straightforward:

• Having an access token, with the necessary rights, I can call POST <keycloakBaseurl>/realms/<realm>/protocol/openid-connect/token. This was "documented" within this example: https://github.com/flyinfish/keycloak-examples/blob/main/impersonation/README.md#s1---impersonation-via-tokenexchange
• The response of this call will contain a new access_token and an optional refresh_token: https://datatracker.ietf.org/doc/html/rfc8693#name-successful-response

That's working fine on the API part, but I can't find any documentation on oidc-client-ts about how to "exchange" the local access_token.

My real life scenario is the following:

• I have a backoffice application that contains the list of all users
• I can impersonate a user by calling the post request that will respond with an access_token
• I want to be redirected to the web application with the access_token (as query string?) so that it's automatically connected with the right user using oidc-client-ts and the given access_token.

So is there a way to implement such things? Did I miss something in the doc?

Thanks in advance for your help 😄

[Badisi]

Not sure it is the best way to do it, but have you tried using userManager.storeUser() ? This could help you update any info you like on the user.