Improve impersonation

[goloroden]

What is this feature about?

Currently, from within a flow or from within the client you can use the asUser property when sending a command, to impersonate, i.e. to send the command under a different user. Technically, we only change the sub claim, we don't issue a real token. This works if you only want to override the user's identity, but sometimes you also need to provide additional claims. So it would be better to issue a real token, with a new sub claim as well as custom claims.

What needs to be done to implement this feature?

• Change the asUser functions to optionally handle custom claims
  • wolkenkit-flows
  • wolkenkit-client
  • Check whether there are more places that are affected
• Think about signing these tokens using an internal certificate
• Rethink the can-impersonate claim
  • Decide whether it is still required
  • Namespace it so that it works with Auth0 again
• Update documentation

What else should we know?

This feature request was made by @schmuto. So we should notify him once this has been done.

[goloroden]

Should be on-behalf-of, since in the future we separate between the (technical) client, and the domain (user), and this feature only changes the user, but not the client.