Re: [keycloak-dev] user impersonation committed

On Jul 10, 2015, at 9:34 PM, Bill Burke <bburke(a)redhat.com&gt; wrote: Taking a break from auth flows for a fe and took a first stab at user impersonation. Go to: /auth/realms/{realm}/impersonate * There's a new "impersonation" role that is in the same "client" as view-realm, view-user, etc... roles Both in master realm apps and in the realm-management client. * The admin role as this "impersonation" role in its composite * After impersonation, you are redirected to Account applications page. "Master" impersonate service: * If you visit the "master" impersonate service of the master realm, you will have a list of of realms to choose from based on which "impersonation" roles the user has assigned to him * If you impersonate a user from "master" you are logged out and a new user session is created as the impersonated user. * If you impersonate a user that is within a different realm than "master", you are not logged out of master. Per realm impersonate service. * If you visit the impersonate service of another realm other than "master", you will not have a list of realms and will only be able to impersonate a user in that realm. * When you impersonate, you are logged out and a new user session is created for that user. Questions: * I implemented this similarly to the AccountService with a new "impersonation" client. It is a freemarker form at the moment (csrf protected)! I'm not 100% sure I can implement it within the admin console. Gonna look into that next. * Would it be useful to retain this freemarker form and impersonation client? Or should it only be available within the admin console? * What should it look like in the admin console? Just an "impersonate" button on the User Detail page? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev