Welcome to the Auth0 Community!
I understand the frustration the deprecation of the Impersonation legacy feature can bring, even though it created security concerns.
While we do not have any official workaround, our general recommendation matches the one mentioned in this following post, namely using a companion app that could function similarly to this:
-
configure a Help Desk Application that has the adminsOnly app metadata set to true and set the users to have an Admin role in their respective app_metadata, if they are " representatives " of Help Desk;
-
add the appropriate claims in the token for the API to allow access;
-
create an API Middleware that confirms if a user is a Help Desk Representative or just themselves;
While we do not have any specific way to achieving impersonation, the above flow should work while maintaining a high level of security.
Hope this helped!
Gerald