bawsky•3mo ago

Token Exchange - complement token with email of impersonator

Hello Zitadel crew 👋 I'm working on adding impersonation to our application leveraging Zitadel, and one thing we've been doing is complementing the access token with the user email, e.g.:

{
  "sub": "12345..."
  "email: "john@doe.com"
  ...
}

{
  "sub": "12345..."
  "email: "john@doe.com"
  ...
}

While playing with impersonation via token exchange however, I've noticed that the original user is under the act claim - is it possible to get their email using a V1 action (without hardcoding a Zitadel API key in the action)? Ideally I'd like something like:

{
  "sub": "12345..." // impersonated user id
  "email: "john@doe.com" // impersonated user email
  "act": {
    "sub": "45676..." // impersonator id
    "email": "dina@example.com" // impersonator email
  }
  ...
}

{
  "sub": "12345..." // impersonated user id
  "email: "john@doe.com" // impersonated user email
  "act": {
    "sub": "45676..." // impersonator id
    "email": "dina@example.com" // impersonator email
  }
  ...
}

From my own testing, it seems that when the Complement Token flow is triggered during a token exchange, the only claim available on ctx.v1.claims is sub and nothing else 😕 thanks in advance 😄

0 Replies

No replies yetBe the first to reply to this messageJoin

Token Exchange - complement token with email of impersonator

Did you find this page helpful?