[keycloak-user] Detect user impersonation

[David Delbecq]

Well, the server event is quite limited. There is no way to distinguish the
operations done by admin from the operations done by user, if both are
using the application at the same time. Unless the Keycloak principal
contain some magic session key I can match later with event audit.

What's the procedure to create Feature request? Just fill a bug?

On Fri, Jan 13, 2017 at 7:25 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Surprisingly enough, no it's not possible at the moment. The assumption
> that was made was that impersonation was not something the app should care
> about. Can you audit this on the Keycloak server side instead? The login
> event has details that shows it's impersonated including the impersonator.
>
> Feel free to create a feature request for this.
>
> On 10 January 2017 at 13:09, David Delbecq <david_delbecq at trimble.com>
> wrote:
>
> Hello,
>
> for audit reason, our application need to be able to make the difference
> between "userA" and "userA impersonated by admin xyz". Is there some way
> from the client point of view to make a difference between a logged in user
> and an admin impersonating that user? Is it possible to add some property
> in KeycloakPrincipal to detect it? And possiblity get the name of the admin
> doing it?
>
> --
> <http://www.trimble.com/>
>
>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
>
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>