Every client application that you want to impersonate a user with must obtain an OAuth token. Each client application must also have a corresponding SPFClientApplication object created in the Desktop Client or Web Client.
You control which users can be impersonated using the SPFClientApplication object. All users in the client application can be impersonated by setting the Allow impersonation of all users property to True for each SPFClientApplication object.
You can restrict user impersonation to just a subset of users by selecting False and then creating a relationship between the subset of users you want to be impersonated and the client application.
-
The client application client id in each SPFClientApplication object must match the authorization server client id exactly.
-
The SPFClientApplication object must be created using the client id of an OAuth client, which uses the Client Credentials authorization work flow only.