Calling REST APIs On-behalf Of My Associated Accounts

[tharindu-b-hewage]

Imagine my user account in WSO2 Identity Server is john. I have also one other associated user account in the identity server under the name, ben.

I use an application, which shows all my user accounts in the identity server once I successfully logged in.

As of now, the above scenario can be done successfully. The application can call the WSO2 Identity Server user account association APIs and list all the associated accounts on-behalf of me(once I logged in).

But I want to see some of my attributes of the associated accounts(Ex: email addresses). This should be possible in a way that the application calls WSO2 IS SCIM APIs on-behalf of my associated accounts, then retrieve any attributes, without me logging in as each associated user(Ex: When I log in as john, the email address of ben should be shown by the application).

The idea here is that all my associated accounts are essentially mine, therefore once logged in as a user, any of the subsequent REST API calls on-behalf of any associated user account, should be allowed.

[tharindu-b-hewage]

Changing the authorized user dynamically will be an approach that will not work with any other resource server other than for the IS product APIs.

Therefore, fixing the authentication valve and using the header to call REST APIs on behalf of the associated user approach is not suitable.

Since we have introduced a grant type to switch and get tokens on behalf of the associated user, an appropriate way of doing this requirement is to get a new access token via the switch grant, then call REST APIs as required.

Therefore this issue is addressed at #6734.