From 18c8fdf015653ad887c8cfcdcf5c2a4c1f9ef2c5 Mon Sep 17 00:00:00 2001
From: wangsijie <wangsijie@silverhand.io>
Date: Fri, 19 Jul 2024 18:23:18 +0800
Subject: [PATCH] chore: add changeset for impersonation (#6251)

---
 .changeset/seven-comics-tan.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 .changeset/seven-comics-tan.md

diff --git a/.changeset/seven-comics-tan.md b/.changeset/seven-comics-tan.md
new file mode 100644
index 000000000..8ef9efa59
--- /dev/null
+++ b/.changeset/seven-comics-tan.md
@@ -0,0 +1,26 @@
+---
+"@logto/core": minor
+---
+
+implement token exchange for user impersonation
+
+Added support for user impersonation via token exchange:
+
+1. New endpoint: `POST /subject-tokens` (Management API)
+   - Request body: `{ "userId": "<user-id>" }`
+   - Returns a subject token
+
+2. Enhanced `POST /oidc/token` endpoint (OIDC API)
+   - Supports new grant type: `urn:ietf:params:oauth:grant-type:token-exchange`
+   - Request body:
+     ```json
+     {
+       "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
+       "subject_token": "<subject-token>",
+       "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
+       "client_id": "<client-id>"
+     }
+     ```
+   - Returns an impersonated access token
+
+Refer to documentation for usage examples and the [Token Exchange RFC](https://tools.ietf.org/html/rfc8693) for more details.