Yeah, I am not sure if token swap service is sufficient..
IMO the admin might want to see (or edit) the account management on
behalf of particular user. But our account mgmt is secured by SSO
cookie, not token.
For web applications, the swapping of token would still require the
support on adapters. Basically if admin wants to impersonate as some
user in webapp, we still need to figure backup (or invalidation) of
admin HttpSession, so the web UI of impersonated session really looks
like UI of user and is not polished with some previous state from admin
session. The same would need to be solved for JS apps, but here it may
be even more tricky...
In shortcut, if we want to have something more usable and give to admin
the same experience like the impersonated user (including UI
experience), we may need to do impersonation at SSO level. And do
impersonation as logout of admin session and then SSO re-login of
impersonated user.
Marek
On 9.4.2015 15:07, Bill Burke wrote:
On 4/9/2015 8:54 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 9 April, 2015 2:38:01 PM
>> Subject: Re: [keycloak-user] Impersonate User
>>
>> I think you should ask the users what they want instead of assuming that
>> only impersonating per application is the way to go. There's certainly
>> a lot of different features we could implement around this, but
>> unfortunately there's only so much time to do them.
> I'm not assuming anything I'm just giving my opinion. Besides, we should not
always just do exactly what users asks for, we should rather make sure we understand their
requirements and come up with good solutions that works for Keycloak and them.
>
> I'm sure there's situations where a SSO level impersonation would be more
convinient. However, a token swap service like I suggested would be much simpler to
implement and a lot less risky as well. We should add a token swap service in either case
to allow for example downgrading tokens for chained services.
>
An STS approach would work great for REST services and non-web access,
but, what about web apps? Specifically the case where an admin or IT
support staff or developer wants to debug a problem a user is having.
They impersonate the user so that they can see exactly what is going wrong.