Recommended way to impersonate a user and add impersonator_uuid claim?

Hello,

I currently use a custom Keycloak endpoint to generate an access token for a target user and add a custom claim: impersonator_uuid

I would like to replace this custom endpoint with a Keycloak-native solution.

The flow is backend-driven: my API authenticates as a confidential client, then asks Keycloak to issue a token for another user. There is no subject_token, because the caller is not already authenticated in Keycloak.

I looked at token exchange / impersonation with requested_subject, but this seems to rely on the legacy token exchange feature, which is deprecated.

What is the recommended way in Keycloak to perform this kind of impersonated login while passing an impersonator_uuid and having it included as a claim in the issued access token?

Is this possible with built-in Keycloak features, or does it require a custom extension ?

The topic of impersonation is a tricky question.
The recommendation is to implement an open standard to have a secure solution. Therefore, in my response, I would ignore the impersonator_uuid claim.

One option is Client-Initiated Backchannel Authentication (CIBA) flow. Once the out-band-authentication is done, the backend will have a valid access token (AT). Just to clarify, the user MUST authenticate, which make sense.

For the token exchange, the standard may_act claim can be used, but it will required customization on KC side.

In any case, the user must authenticate.