Get ID token of a user using custom Admin REST API in Keycloak

1.7k views Asked by At

In a system I'm developing now, I want to get an ID token of a user in my Keycloak server using admin REST API of Keycloak, without knowing the password of the user (i.e., using only the password of an admin user).

That is, I want to have an admin API like GET /{realm}/users/{id}/id-token.

Is it possible to realize this?

(The document of Keycloak says it is possible to implement custom API endpoints (https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest), but I'm not sure if I can add my desired function.)

1

There are 1 answers

0
Jan Garaj On BEST ANSWER

That sounds like a very dangerous feature (IDP admin can pretend to be any user from his IDP user pool). But you are still missing one input - client. Each client may generate different token.

I would say that you may need:

1.) Example access token feature (not ID token!)

Check GET /{realm}/clients/{id}/evaluate-scopes/generate-example-access-token endpoint

https://www.keycloak.org/docs-api/11.0/rest-api/index.html

2.) Impersonation feature

https://www.keycloak.org/docs/latest/server_admin/#impersonation

3.) Implement it on your own in the Keycloak, so it will exactly fit your needs.