Z
ZITADEL4mo ago
fabienne

Token Exchange / Impersonation - Beta Feature

The Token Exchange grant implements RFC 8693, OAuth 2.0 Token Exchange and can be used to exchange tokens to a different scope, audience or subject. Changing the subject of an authenticated token is called impersonation or delegation. A typical use case is when customer support uses the token exchange to temporarily access a user’s account, allowing them to troubleshoot issues without needing the user’s password. The whole documentation including some examples can be found in our Impersonation and delegation using Token Exchange guide. Testing Period: till 31. March 2025 Testing Objectives: - Did you encounter problems or bugs? - Is the current permission model suitable? Do you need more? - General feedback on feature enhancements How to test: - Enable the feature flag: https://zitadel.com/docs/guides/integrate/token-exchange#feature-api - Follow the simple Token Exchange example: https://zitadel.com/docs/guides/integrate/token-exchange#simple-token-exchange-examples - Or follow the impersonation example: https://zitadel.com/docs/guides/integrate/token-exchange#impersonation-examples Known Bugs / Limitations: At the moment token exchange is only implemented for your own applications, but not for getting access to a Zitadel Manager account. Token exchange works for Zitadel created Tokens currently, in the future the possibility for external services will be added as well. Track the state in the corresponding issue. Test the token exchange and add improvement or bug reports directly to the github repository or let us know your general feedback below!
RFC 8693: OAuth 2.0 Token Exchange
This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.
ZITADEL Docs
The Token Exchange grant implements RFC 8693, OAuth 2.0 Token Exchange and can be used to exchange tokens to a different scope, audience or subject. Changing the subject of an authenticated token is called impersonation or delegation. This guide will explain how token exchange is implemented inside ZITADEL and gives some usage examples.
3 Replies
Unknown User
Unknown User4mo ago
Message Not Public
Sign In & Join Server To View
fabienne
fabienneOP4mo ago
@muhlemmer @livio can you help here?
Unknown User
Unknown User3mo ago
Message Not Public
Sign In & Join Server To View

Did you find this page helpful?