Spring Security Support for delegation in token exchange according to RFC8693

Keycloak should support delegation when using token exchange according to RFC8693. In the current version of keycloak only impersonation is supported. The main difference between delegation and impersonation is that delegation is transparent for the target and allows the target to determine the user that impersonated another user. For more infos see https://datatracker.ietf.org/doc/html/rfc8693#section-1.1

To support delegation RFC8693 specifies the parameters actor_token and actor_token_type, that can optionally contain the token of the original user.

Keycloak should support the parmaters actor_token and actor_token_type and set the act claim in the generated jwt.

We are looking for this feature to forward the real user in a microservice architecture in a reliable way.

Comment From: marbon87

Sorry, wrong project.