Token Exchange to act on behalf of another user

Hi Community,

We are migrating our IdP to auth0 and I have following usecase, which I could not migrate:

An admin user needs to act on behalf of different enduser, without the need of the enduser’s password!
With our old IdP we were able to use grant_type ‘urn:ietf:params:oauth:grant-type:jwt-bearer’ to request an access token for the admin. After that we use grant_type ‘urn:ietf:params:oauth:grant-type:token-exchange’ to retreive an access token on behalf of the enduser. We were then logged in as the enduser!

Anyone same situation?

1 Like

Hi @allinformatix :wave:

Welcome to the community :sunglasses:

The situation you describe appears to suggest some requirement for impersonation and/or (3rd party) token exchange Neither of which Auth0 natively supports out of the box. However, it is possible to achieve some level of each - typically utilising Auth0 Custom Database Connection functionality. Whilst possible, it’s not a simple solution to describe/implement…at least not securely at any rate. For situations like these I would typically recommend reaching out to Auth0 Professional Services - either via your (Auth0) Technical Account Manager if you have one or directly via the link provided.

Hope this helps :slightly_smiling_face:

1 Like