Hi,
I had a working implementation of impersonation, and it seems that today it stopped working because the impersonation API MY_DOMAIN.auth0.com/users/USER_ID/impersonate is generating an impersonation url with a redirect that no longer contains the id_token and access_token in the hash of the callback url. I have not made any code changes related to my API call since it was last working.
For the call to the impersonation API endpoint, if I change the additionalParameters.response_type to ‘code’ instead of ‘token’, a code will be appended to my callback url as a query string parameter, but my SPA at the callback url would really like the tokens as it had before.
My question is: has support for response_type: ‘token’ been dropped or otherwise broken recently? And if it is still a functional feature, what might I be missing that’s necessary for it to work?
Here’s a sample request payload:
{"protocol": "oauth2","impersonator_id": "MY_IMPERSONATOR_ID","client_id": "MY_CLIENT_ID","additionalParameters":{"response_type": "token","state": "", "scope": "openid profile", "callback_url": "https://localhost:8080/logout"}}
(I also have a valid bearer token in the request Authorization header)