Impersonation in Keycloak

I had to implement user impersonation using Keycloak. I haven’t found any e2e solution so I decided to write short post about how we can achieve that.

First you need to start your Keycloak instance with these flags:

-Dkeycloak.profile=preview -Dkeycloak.profile.feature.token_exchange=enabled

It’s allow us to use token exchange feature which is not enabled by default. Then we need to enable impersonation for our client in Keycloak console.


After that we need to grant impersonation for specified user: user.png

When we have configuration part done, we can move forward to implementation which is not much complex.

This is implementation of TypeScript service used in my Angular app for a token exchange.

export class ImpersonateService {
  constructor(private http: HttpClient) {}

  private static buildImpersonateRequestBody(userId: string, keycloakClientId: string, currentUserAccessToken: string): URLSearchParams {
    const body = new URLSearchParams();

    body.set('grant_type', 'urn:ietf:params:oauth:grant-type:token-exchange');
    body.set('subject_token', currentUserAccessToken);
    body.set('client_id', keycloakClientId);
    body.set('requested_subject', userId);

    return body;

  private static getOptions() {
    return {
      headers: new HttpHeaders().append('Content-Type', 'application/x-www-form-urlencoded')

  public impersonate(keycloakUserService: string): Observable<any> {
    const body = ImpersonateService.buildImpersonateRequestBody(

    // remember to replace master realm with your own
    return this.http
        tap(response => {
          // start using new token

In response from Keyclok you should received new tokens pair.

Hope you enjoy this post. If You have any questions or problems leave a comment or send email.

See You soon!

Written on April 9, 2020