In a system I'm developing now, I want to get an ID token of a user in my Keycloak server using admin REST API of Keycloak, without knowing the password of the user (i.e., using only the password of an admin user).
That is, I want to have an admin API like
GET /{realm}/users/{id}/id-token
.
Is it possible to realize this?
(The document of Keycloak says it is possible to implement custom API endpoints (https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest), but I'm not sure if I can add my desired function.)
That sounds like a very dangerous feature (IDP admin can pretend to be any user from his IDP user pool). But you are still missing one input - client. Each client may generate different token.
I would say that you may need:
1.) Example access token feature (not ID token!)
Check
GET /{realm}/clients/{id}/evaluate-scopes/generate-example-access-token
endpointhttps://www.keycloak.org/docs-api/11.0/rest-api/index.html
2.) Impersonation feature
https://www.keycloak.org/docs/latest/server_admin/#impersonation
3.) Implement it on your own in the Keycloak, so it will exactly fit your needs.