[keycloak-user] Detect user impersonation
Stian Thorgersen
sthorger at redhat.com
Mon Jan 16 03:18:40 EST 2017
There is a server event created when the admin impersonates the user. This
does indeed have a session key (no magic though), which all other events
for the session has (app login to same session, logout, etc..)./
On 13 January 2017 at 16:30, David Delbecq <david_delbecq at trimble.com>
wrote:
> Well, the server event is quite limited. There is no way to distinguish
> the operations done by admin from the operations done by user, if both are
> using the application at the same time. Unless the Keycloak principal
> contain some magic session key I can match later with event audit.
>
> What's the procedure to create Feature request? Just fill a bug?
>
> On Fri, Jan 13, 2017 at 7:25 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Surprisingly enough, no it's not possible at the moment. The assumption
>> that was made was that impersonation was not something the app should care
>> about. Can you audit this on the Keycloak server side instead? The login
>> event has details that shows it's impersonated including the impersonator.
>>
>> Feel free to create a feature request for this.
>>
>> On 10 January 2017 at 13:09, David Delbecq <david_delbecq at trimble.com>
>> wrote:
>>
>> Hello,
>>
>> for audit reason, our application need to be able to make the difference
>> between "userA" and "userA impersonated by admin xyz". Is there some way
>> from the client point of view to make a difference between a logged in
>> user
>> and an admin impersonating that user? Is it possible to add some property
>> in KeycloakPrincipal to detect it? And possiblity get the name of the
>> admin
>> doing it?
>>
>> --
>> <http://www.trimble.com/>
>>
>>
>> David Delbecq
>> Software engineer, Transport & Logistics
>> Geldenaaksebaan 329, 1st floor | 3001 Leuven
>>
>> +32 16 391 121 <+32%2016%20391%20121> Direct
>> david.delbecq at trimbletl.com
>> <http://www.trimbletl.com/>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
> <http://www.trimble.com/>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
>
>
More information about the keycloak-user
mailing list