I want to implement impersonation functionality in my application, to bring support by an admin to end users. My architecture is the following:

1.- React app in front.

2.- Spring Resource Server. Is a REST API that react app call.

3.- Spring Auth Server that act as authorization server. This server is token issuer, and is auth client too, becuase use Microsoft EntraID for authenticate.

Here the configuration of 2.-Resource Server:

spring.security.oauth2.resourceserver.jwt.issuer-uri: https://auth-server

Here the config of 3.- Auth Server:

spring.security.oauth2:
      authorizationserver:
        issuer: https://auth-server
        client:
          react-client:
            registration:
              client-id: client-id
              client-secret: secret
              redirect-uris:
                - https://react-app/redirect
              client-authentication-methods:
               - client_secret_basic
              authorization-grant-types:
                - authorization_code
                - refresh_token
              scopes:
                - openid
                - profile
                - https://graph.microsoft.com/User.ReadBasic.All
      client:
        provider:
          azure:
            issuer-uri: https://login.microsoftonline.com/${azure.tenant-id}/v2.0
            user-name-attribute: sub
        registration:
          my-client:
            provider: azure
            scope:
              - openid
              - profile
              - email
            redirect-uri: https://auth-server/login/oauth2/code/ 

With this configuration, all works well. The react app first call to auth server to get code:

https://auth-server/oauth2/authorize 
?client_id=client-id
&redirect_uri=https://react-app/redirect 
&scope=openid 
&response_type=code 
&response_mode=form_post 
&state=xxxxxxxxxxx 
&nonce=xxxxxxxxxxx

Auth server call to Microsoft EntraID to login the user with her credentials.

Then with this code the app call to token endpoint to get a token:

https://auth-server/oauth2/authorize 
?grant_type=authorization_code
&code=mH09Ql0a_5RihuweHHDhdD3
&client_id=client-id
&client_secret=secreto
&redirect_uri=https://react-app/redirect

With this token react app know who is the user and can use this token to call Resource Server.

Now, I want to impersonate a user, and I don’t know how to do this.

I read that maybe need to use the token-exchange grant_type, that support Spring Security 6.3.0-M3.

I put urn:ietf:params:oauth:grant-type:token-exchange in authorization-grant-types, and works well if i have the token to put in subject_token. But, the problem is that the admin user don’t know the end-user token to inpersonate, only know her email that use to login in Microsoft Entra ID.

Any suggestion to impersonate a end-user with this flow?