Enabling TokenExchange is not working as expected
āUnsolvedāQuestionšŖ²Bugs
Hi! I arrive here after messing on every corner I could find and casting sessions with every major LLM out there.
Use-case: Customer auth / E2E app testing auth
Environment: Zitadel Cloud
Version: v4.9.1
Stack: Typescript / Playwright
What you expected to happen: An impersonation token is retrieved
What went wrong: API responds
I'm writing e2e tests for my app and I expect to be able to use impersonation. I enabled it on our cloud instance default settings UI. Org, Project and App do not show this option.
I expected this to be enough but the exchange response is consistently returning
Which suggests it's enabled at the instance level
Org's features, i.e.
Thanks!
Use-case: Customer auth / E2E app testing auth
Environment: Zitadel Cloud
Version: v4.9.1
Stack: Typescript / Playwright
What you expected to happen: An impersonation token is retrieved
What went wrong: API responds
Errors.TokenExchange.FeatureDisabledErrors.TokenExchange.FeatureDisabled despite the feature looking enabled both in the UI and API /v2/features/instance/v2/features/instance responseI'm writing e2e tests for my app and I expect to be able to use impersonation. I enabled it on our cloud instance default settings UI. Org, Project and App do not show this option.
Allow ImpersonationAllow Impersonation was also set in instance default settings Security settings. I expected this to be enough but the exchange response is consistently returning
{"error":"invalid_request","error_description":"Errors.TokenExchange.FeatureDisabled"}{"error":"invalid_request","error_description":"Errors.TokenExchange.FeatureDisabled"} Could this be this error is returned for some other reason? https://my-instance-id.zitadel.cloud/v2/features/instancehttps://my-instance-id.zitadel.cloud/v2/features/instance gives{"details":{"sequence":"16","changeDate":"2026-01-13T21:03:10.650582Z","resourceOwner":"XXXXXXXX8666"},..."oidcTokenExchange":{"enabled":true,"source":"SOURCE_INSTANCE"},...}{"details":{"sequence":"16","changeDate":"2026-01-13T21:03:10.650582Z","resourceOwner":"XXXXXXXX8666"},..."oidcTokenExchange":{"enabled":true,"source":"SOURCE_INSTANCE"},...}Which suggests it's enabled at the instance level
Org's features, i.e.
https://my-instance-id.zitadel.cloud/v2/features/organization/XXXXXXXXXXXX202https://my-instance-id.zitadel.cloud/v2/features/organization/XXXXXXXXXXXX202 gitves {"code":2,"message":"rpc error: code = Unimplemented desc = method GetOrganizationFeatures not implemented"}{"code":2,"message":"rpc error: code = Unimplemented desc = method GetOrganizationFeatures not implemented"} which I interpret to signal that these feature layer is not availble in cloud instances. Same response for /v2/features/user/xxxxxxxxxxxxxxxx2838/v2/features/user/xxxxxxxxxxxxxxxx2838.Thanks!
