Product Q&As
ForgeRock Identity Cloud
ForgeRock Identity Platform

Does the ForgeRock solution support secure impersonation?

Last updated Jan 24, 2023

Several methods are available for achieving secure impersonation in the ForgeRock solution. These include: OAuth 2.0 token exchange, Client Initiated Backchannel Authentication (CIBA), and changing a session's user ID.


Methods for achieving impersonation with the ForgeRock solution include:

OAuth 2.0 token exchange

ForgeRock supports impersonation through its implementation of OAuth 2.0 Token Exchange (RFC 8693). With this implementation, a client performs an action on behalf of the user in an environment where there is no need to keep a separation between the user and the client. For example, a user completes a money transfer by logging in to their bank application and trusting the application to act on their behalf to access the internal banking system and perform the transaction. 

See Token exchange (Identity Cloud) and OAuth 2.0 token exchange (AM) for further information.

Client Initiated Backchannel Authentication (CIBA)

Impersonation can be achieved through a Client Initiated Backchannel Authentication (CIBA) flow. A CIBA flow allows a client application to obtain authentication and consent from a user without requiring the user to interact with it directly. 

See Backchannel request grant (Identity Cloud) and Backchannel request grant (AM) for further information. 

Changing a session's user ID

Another impersonation method supported by ForgeRock involves changing the session's username (user ID) to the impersonated user during the authentication journey. With the Impersonate node, available on the ForgeRock Marketplace, you can quickly, easily and securely integrate this capability into an Intelligent Access user journey. 

Alternatively, the primary user can remain logged in, and a custom authentication node can be used to augment the user session with the username of the impersonated user. With this method, either the protected application must be altered to use the impersonated ID field or, if ForgeRock Identity Gateway (IG) can be deployed, an IG filter can replace the credentials during the resource access request.


The Impersonation node is not currently available with Identity Cloud deployments.

See Also

Token Exchange Impersonation (Cloud Learning video)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.