Reputation: 8995
As admin of a Keycloak server, how can I obtain access-token of a particular user without knowing his password? Unfortunately impersonation doesn't help me because it does not contain neither his id nor his username.
Upvotes: 1
Views: 696
Reputation: 31679
There's a feature starting from keycloak 3.4.0 called token exchange wich allows you to exchange an access token from a user with impersonation permission to get other token on behalf of the other user. You can use the token endpoint this way:
curl -X POST \
-d "client_id=starting-client" \
-d "client_secret=geheim" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=...." \
--data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "audience=target-client" \
-d "requested_subject=wburke" \
http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token
You might find this post useful too.
Upvotes: 4