8:34 p.m.
Taking a break from auth flows for a fe and took a first stab at user
impersonation.
Go to:
/auth/realms/{realm}/impersonate
* There's a new "impersonation" role that is in the same "client"
as
view-realm, view-user, etc... roles Both in master realm apps and in
the realm-management client.
* The admin role as this "impersonation" role in its composite
* After impersonation, you are redirected to Account applications page.
"Master" impersonate service:
* If you visit the "master" impersonate service of the master realm, you
will have a list of of realms to choose from based on which
"impersonation" roles the user has assigned to him
* If you impersonate a user from "master" you are logged out and a new
user session is created as the impersonated user.
* If you impersonate a user that is within a different realm than
"master", you are not logged out of master.
Per realm impersonate service.
* If you visit the impersonate service of another realm other than
"master", you will not have a list of realms and will only be able to
impersonate a user in that realm.
* When you impersonate, you are logged out and a new user session is
created for that user.
Questions:
* I implemented this similarly to the AccountService with a new
"impersonation" client. It is a freemarker form at the moment (csrf
protected)! I'm not 100% sure I can implement it within the admin
console. Gonna look into that next.
* Would it be useful to retain this freemarker form and impersonation
client? Or should it only be available within the admin console?
* What should it look like in the admin console? Just an "impersonate"
button on the User Detail page?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:04 p.m.
A few things:
1. Impersonation should be available via an admin endpoint. If I have the impersonation
role, I should be able to make a call to impersonate another user.
2. It should be availabe in the admin console on the user details page and the list. I
don’t think it makes sense to have to click into the user if you already found them in
search results, etc.
3. What happens when user X decides to impersonate user Y and user X is already
authenticated to clients? How does the impersonation for user X of user Y get propagated
to clients? What happens on logout?
On Jul 10, 2015, at 9:34 PM, Bill Burke <bburke(a)redhat.com>
wrote:
Taking a break from auth flows for a fe and took a first stab at user
impersonation.
Go to:
/auth/realms/{realm}/impersonate
* There's a new "impersonation" role that is in the same "client"
as
view-realm, view-user, etc... roles Both in master realm apps and in
the realm-management client.
* The admin role as this "impersonation" role in its composite
* After impersonation, you are redirected to Account applications page.
"Master" impersonate service:
* If you visit the "master" impersonate service of the master realm, you
will have a list of of realms to choose from based on which
"impersonation" roles the user has assigned to him
* If you impersonate a user from "master" you are logged out and a new
user session is created as the impersonated user.
* If you impersonate a user that is within a different realm than
"master", you are not logged out of master.
Per realm impersonate service.
* If you visit the impersonate service of another realm other than
"master", you will not have a list of realms and will only be able to
impersonate a user in that realm.
* When you impersonate, you are logged out and a new user session is
created for that user.
Questions:
* I implemented this similarly to the AccountService with a new
"impersonation" client. It is a freemarker form at the moment (csrf
protected)! I'm not 100% sure I can implement it within the admin
console. Gonna look into that next.
* Would it be useful to retain this freemarker form and impersonation
client? Or should it only be available within the admin console?
* What should it look like in the admin console? Just an "impersonate"
button on the User Detail page?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:43 p.m.
On 7/10/2015 10:04 PM, Scott Rossillo wrote:
A few things:
1. Impersonation should be available via an admin endpoint. If I have the impersonation
role, I should be able to make a call to impersonate another user.
I've only implemented browser impersonation (cookies). There is no
token exchange at the moment.
2. It should be availabe in the admin console on the user details
page and the list. I don’t think it makes sense to have to click into the user if you
already found them in search results, etc.
Ok.
3. What happens when user X decides to impersonate user Y and user X
is already authenticated to clients? How does the impersonation for user X of user Y get
propagated to clients? What happens on logout?
If User X and User Y are in the same realm, then User X will first be
logged out (and a backchannel logout performed on all clients), then
logged in as User Y. The plan is to redirect to the Account
Applications page.
If User X and User Y are in different realms, then User X stays logged
in. I'm thinking that a new tab would be opened that is redirected to
Account Applications page.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3451
days inactive
3451
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
Scott Rossillo