bawskyB
ZITADEL8mo ago
bawsky

Token Exchange - complement token with email of impersonator

Hello Zitadel crew 👋

I'm working on adding impersonation to our application leveraging Zitadel, and one thing we've been doing is complementing the access token with the user email, e.g.:
{
  "sub": "12345..."
  "email: "john@doe.com"
  ...
}


While playing with impersonation via token exchange however, I've noticed that the original user is under the act claim - is it possible to get their email using a V1 action (without hardcoding a Zitadel API key in the action)? Ideally I'd like something like:
{
  "sub": "12345..." // impersonated user id
  "email: "john@doe.com" // impersonated user email
  "act": {
    "sub": "45676..." // impersonator id
    "email": "dina@example.com" // impersonator email
  }
  ...
}


From my own testing, it seems that when the Complement Token flow is triggered during a token exchange, the only claim available on ctx.v1.claims is sub and nothing else 😕

thanks in advance 😄
Was this page helpful?