A few things:
1. Impersonation should be available via an admin endpoint. If I have the impersonation
role, I should be able to make a call to impersonate another user.
2. It should be availabe in the admin console on the user details page and the list. I
don’t think it makes sense to have to click into the user if you already found them in
search results, etc.
3. What happens when user X decides to impersonate user Y and user X is already
authenticated to clients? How does the impersonation for user X of user Y get propagated
to clients? What happens on logout?
On Jul 10, 2015, at 9:34 PM, Bill Burke <bburke(a)redhat.com>
wrote:
Taking a break from auth flows for a fe and took a first stab at user
impersonation.
Go to:
/auth/realms/{realm}/impersonate
* There's a new "impersonation" role that is in the same "client"
as
view-realm, view-user, etc... roles Both in master realm apps and in
the realm-management client.
* The admin role as this "impersonation" role in its composite
* After impersonation, you are redirected to Account applications page.
"Master" impersonate service:
* If you visit the "master" impersonate service of the master realm, you
will have a list of of realms to choose from based on which
"impersonation" roles the user has assigned to him
* If you impersonate a user from "master" you are logged out and a new
user session is created as the impersonated user.
* If you impersonate a user that is within a different realm than
"master", you are not logged out of master.
Per realm impersonate service.
* If you visit the impersonate service of another realm other than
"master", you will not have a list of realms and will only be able to
impersonate a user in that realm.
* When you impersonate, you are logged out and a new user session is
created for that user.
Questions:
* I implemented this similarly to the AccountService with a new
"impersonation" client. It is a freemarker form at the moment (csrf
protected)! I'm not 100% sure I can implement it within the admin
console. Gonna look into that next.
* Would it be useful to retain this freemarker form and impersonation
client? Or should it only be available within the admin console?
* What should it look like in the admin console? Just an "impersonate"
button on the User Detail page?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev