5:03 p.m.
Hi,
We’re looking for the best way to support having one user, such as an
admin, have the ability to impersonate another user. I don’t see a simple
way to do this with Keycloak at the moment.
Would you mind letting me know if this is on the roadmap - I didn’t see a
JIRA - or if you have any recommendations on implementing such behavior.
Thanks,
Scott
5:06 p.m.
We don't have this feature but it is something that some key customers
want. I would say we would get to it sometime this summer.
On 4/7/2015 6:03 PM, Scott Rossillo wrote:
Hi,
We’re looking for the best way to support having one user, such as an
admin, have the ability to impersonate another user. I don’t see a
simple way to do this with Keycloak at the moment.
Would you mind letting me know if this is on the roadmap - I didn’t see
a JIRA - or if you have any recommendations on implementing such behavior.
Thanks,
Scott
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
6:13 p.m.
Thanks.
Out of curiosity, how do you see this being implemented? Would a user who
can impersonate another have a specific role to allow this?
I’m thinking a bit about how I may be able to support it before it becomes
a feature, or if it’s something we would be able to contribute.
~ Scott
On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke <bburke(a)redhat.com> wrote:
We don't have this feature but it is something that some key
customers
want. I would say we would get to it sometime this summer.
On 4/7/2015 6:03 PM, Scott Rossillo wrote:
> Hi,
>
> We’re looking for the best way to support having one user, such as an
> admin, have the ability to impersonate another user. I don’t see a
> simple way to do this with Keycloak at the moment.
>
> Would you mind letting me know if this is on the roadmap - I didn’t see
> a JIRA - or if you have any recommendations on implementing such
behavior.
>
> Thanks,
> Scott
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:53 p.m.
I would say an admin would need a special role as well as having all the roles of the user
the admin wants to impersonate.
That's the simple part, second part would be to let an admin login as another user.
Maybe that could be done with a query param to the authorization endpoint, for example:
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
Would also be good to have a enable/disable option for this feature for a realm.
----- Original Message -----
From: "Scott Rossillo" <srossillo(a)smartling.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Wednesday, 8 April, 2015 1:13:19 AM
Subject: Re: [keycloak-user] Impersonate User
Thanks.
Out of curiosity, how do you see this being implemented? Would a user who can
impersonate another have a specific role to allow this?
I’m thinking a bit about how I may be able to support it before it becomes a
feature, or if it’s something we would be able to contribute.
~ Scott
On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com > wrote:
We don't have this feature but it is something that some key customers
want. I would say we would get to it sometime this summer.
On 4/7/2015 6:03 PM, Scott Rossillo wrote:
> Hi,
>
> We’re looking for the best way to support having one user, such as an
> admin, have the ability to impersonate another user. I don’t see a
> simple way to do this with Keycloak at the moment.
>
> Would you mind letting me know if this is on the roadmap - I didn’t see
> a JIRA - or if you have any recommendations on implementing such behavior.
>
> Thanks,
> Scott
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:55 a.m.
I worry a bit about how this can be exploited. I think it might need to
be its own service that
1. checks and verifies the admin is logged in (via the cookie)
2. Re-authenticates the admin manually
3. Logouts out the admin and logins him in as impersonated user.
There might be other sensitive areas/features where we might want to
require manual re-authentication before.
Also, we might also want to add information to the id/access tokens and
saml assertions for auditing purposes so that clients know that the user
is being impersonated.
FYI, I know this is a must-have feature in order for Red Hat IT to use us.
On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
I would say an admin would need a special role as well as having all
the roles of the user the admin wants to impersonate.
That's the simple part, second part would be to let an admin login as another user.
Maybe that could be done with a query param to the authorization endpoint, for example:
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
Would also be good to have a enable/disable option for this feature for a realm.
----- Original Message -----
> From: "Scott Rossillo" <srossillo(a)smartling.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 8 April, 2015 1:13:19 AM
> Subject: Re: [keycloak-user] Impersonate User
>
> Thanks.
>
> Out of curiosity, how do you see this being implemented? Would a user who can
> impersonate another have a specific role to allow this?
>
> I’m thinking a bit about how I may be able to support it before it becomes a
> feature, or if it’s something we would be able to contribute.
>
> ~ Scott
>
>
>
> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com > wrote:
>
>
> We don't have this feature but it is something that some key customers
> want. I would say we would get to it sometime this summer.
>
> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>> Hi,
>>
>> We’re looking for the best way to support having one user, such as an
>> admin, have the ability to impersonate another user. I don’t see a
>> simple way to do this with Keycloak at the moment.
>>
>> Would you mind letting me know if this is on the roadmap - I didn’t see
>> a JIRA - or if you have any recommendations on implementing such behavior.
>>
>> Thanks,
>> Scott
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:17 a.m.
Jumping in with my requirements as Impersonation is a very sensitive issue. It has to be
read only and clearly indicated in both gui and audit engine( logs). We typically require
both the admin and user information populated for audit purposes which means that the
admin should not be logged out.
Sent from my iPhone
On Apr 8, 2015, at 9:55 AM, Bill Burke <bburke(a)redhat.com>
wrote:
I worry a bit about how this can be exploited. I think it might need to
be its own service that
1. checks and verifies the admin is logged in (via the cookie)
2. Re-authenticates the admin manually
3. Logouts out the admin and logins him in as impersonated user.
There might be other sensitive areas/features where we might want to
require manual re-authentication before.
Also, we might also want to add information to the id/access tokens and
saml assertions for auditing purposes so that clients know that the user
is being impersonated.
FYI, I know this is a must-have feature in order for Red Hat IT to use us.
> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
> I would say an admin would need a special role as well as having all the roles of the
user the admin wants to impersonate.
>
> That's the simple part, second part would be to let an admin login as another
user. Maybe that could be done with a query param to the authorization endpoint, for
example:
>
>
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>
> Would also be good to have a enable/disable option for this feature for a realm.
>
> ----- Original Message -----
>> From: "Scott Rossillo" <srossillo(a)smartling.com>
>> To: "Bill Burke" <bburke(a)redhat.com>
>> Cc: keycloak-user(a)lists.jboss.org
>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>> Subject: Re: [keycloak-user] Impersonate User
>>
>> Thanks.
>>
>> Out of curiosity, how do you see this being implemented? Would a user who can
>> impersonate another have a specific role to allow this?
>>
>> I’m thinking a bit about how I may be able to support it before it becomes a
>> feature, or if it’s something we would be able to contribute.
>>
>> ~ Scott
>>
>>
>>
>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com > wrote:
>>
>>
>> We don't have this feature but it is something that some key customers
>> want. I would say we would get to it sometime this summer.
>>
>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>> Hi,
>>>
>>> We’re looking for the best way to support having one user, such as an
>>> admin, have the ability to impersonate another user. I don’t see a
>>> simple way to do this with Keycloak at the moment.
>>>
>>> Would you mind letting me know if this is on the roadmap - I didn’t see
>>> a JIRA - or if you have any recommendations on implementing such behavior.
>>>
>>> Thanks,
>>> Scott
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:56 a.m.
One thing I've seen done with Spring Security (custom code) is to implement
the impersonation as a "stack." An admin impersonating another user gets
pushed instead of logged out and when the impersonated user is logged out,
the admin is popped and re-becomes the principal. This may be much more
complex with distributed security, but the pseudo code of the token would
be something like:
public class KeycloakSecurityContext {
boolean isImpersonated;
KeycloakSecurityContext impersonatingContext;
}
This is obviously only one aspect but could be used by an application to
know if the user is impersonated, and who's doing the impersonating.
~ Scott
On Wed, Apr 8, 2015 at 10:17 AM, Raghu Prabhala <prabhalar(a)yahoo.com> wrote:
Jumping in with my requirements as Impersonation is a very sensitive
issue. It has to be read only and clearly indicated in both gui and audit
engine( logs). We typically require both the admin and user information
populated for audit purposes which means that the admin should not be
logged out.
Sent from my iPhone
> On Apr 8, 2015, at 9:55 AM, Bill Burke <bburke(a)redhat.com> wrote:
>
> I worry a bit about how this can be exploited. I think it might need to
> be its own service that
>
> 1. checks and verifies the admin is logged in (via the cookie)
> 2. Re-authenticates the admin manually
> 3. Logouts out the admin and logins him in as impersonated user.
>
> There might be other sensitive areas/features where we might want to
> require manual re-authentication before.
>
> Also, we might also want to add information to the id/access tokens and
> saml assertions for auditing purposes so that clients know that the user
> is being impersonated.
>
> FYI, I know this is a must-have feature in order for Red Hat IT to use
us.
>
>
>> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
>> I would say an admin would need a special role as well as having all
the roles of the user the admin wants to impersonate.
>>
>> That's the simple part, second part would be to let an admin login as
another user. Maybe that could be done with a query param to the
authorization endpoint, for example:
>>
>>
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>>
>> Would also be good to have a enable/disable option for this feature for
a realm.
>>
>> ----- Original Message -----
>>> From: "Scott Rossillo" <srossillo(a)smartling.com>
>>> To: "Bill Burke" <bburke(a)redhat.com>
>>> Cc: keycloak-user(a)lists.jboss.org
>>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>>> Subject: Re: [keycloak-user] Impersonate User
>>>
>>> Thanks.
>>>
>>> Out of curiosity, how do you see this being implemented? Would a user
who can
>>> impersonate another have a specific role to allow this?
>>>
>>> I’m thinking a bit about how I may be able to support it before it
becomes a
>>> feature, or if it’s something we would be able to contribute.
>>>
>>> ~ Scott
>>>
>>>
>>>
>>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com >
wrote:
>>>
>>>
>>> We don't have this feature but it is something that some key customers
>>> want. I would say we would get to it sometime this summer.
>>>
>>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>>> Hi,
>>>>
>>>> We’re looking for the best way to support having one user, such as an
>>>> admin, have the ability to impersonate another user. I don’t see a
>>>> simple way to do this with Keycloak at the moment.
>>>>
>>>> Would you mind letting me know if this is on the roadmap - I didn’t
see
>>>> a JIRA - or if you have any recommendations on implementing such
behavior.
>>>>
>>>> Thanks,
>>>> Scott
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2:23 a.m.
This is very similar to how I've implemented impersonation in GateIn
portal. Basically the session wrapped the "admin" session and after
logout, the admin session was restored back. So admin wasn't logged-out,
but he was able to continue with his session in exactly same state like
before impersonation.
But for the Keycloak, it will be very tricky to support this as Keycloak
is SSO and admin is already logged to some applications before he
started impersonation session. So for support of save/restore the admin
session, we would need to implement the "stack" for the UserSession on
auth-server but also for all the application sessions. This might be
possible (but quite tricky) for servlet adapters, but I am not seeing
how to properly support it for JS adapter...
In shortcut, it seems that we would really need to logout original admin
session and then login as impersonated user. For audit purpose, we will
have info that session is impersonated, but IMO we will not be able to
restore original admin session back to the state before impersonation.
Marek
On 8.4.2015 16:56, Scott Rossillo wrote:
One thing I've seen done with Spring Security (custom code) is to
implement the impersonation as a "stack." An admin impersonating
another user gets pushed instead of logged out and when the
impersonated user is logged out, the admin is popped and re-becomes
the principal. This may be much more complex with distributed
security, but the pseudo code of the token would be something like:
public class KeycloakSecurityContext {
boolean isImpersonated;
KeycloakSecurityContext impersonatingContext;
}
This is obviously only one aspect but could be used by an application
to know if the user is impersonated, and who's doing the impersonating.
~ Scott
On Wed, Apr 8, 2015 at 10:17 AM, Raghu Prabhala <prabhalar(a)yahoo.com
<mailto:prabhalar@yahoo.com>> wrote:
Jumping in with my requirements as Impersonation is a very
sensitive issue. It has to be read only and clearly indicated in
both gui and audit engine( logs). We typically require both the
admin and user information populated for audit purposes which
means that the admin should not be logged out.
Sent from my iPhone
> On Apr 8, 2015, at 9:55 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
>
> I worry a bit about how this can be exploited. I think it might
need to
> be its own service that
>
> 1. checks and verifies the admin is logged in (via the cookie)
> 2. Re-authenticates the admin manually
> 3. Logouts out the admin and logins him in as impersonated user.
>
> There might be other sensitive areas/features where we might want to
> require manual re-authentication before.
>
> Also, we might also want to add information to the id/access
tokens and
> saml assertions for auditing purposes so that clients know that
the user
> is being impersonated.
>
> FYI, I know this is a must-have feature in order for Red Hat IT
to use us.
>
>
>> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
>> I would say an admin would need a special role as well as
having all the roles of the user the admin wants to impersonate.
>>
>> That's the simple part, second part would be to let an admin
login as another user. Maybe that could be done with a query param
to the authorization endpoint, for example:
>>
>>
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>>
>> Would also be good to have a enable/disable option for this
feature for a realm.
>>
>> ----- Original Message -----
>>> From: "Scott Rossillo" <srossillo(a)smartling.com
<mailto:srossillo@smartling.com>>
>>> To: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>
>>> Cc: keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>>> Subject: Re: [keycloak-user] Impersonate User
>>>
>>> Thanks.
>>>
>>> Out of curiosity, how do you see this being implemented? Would
a user who can
>>> impersonate another have a specific role to allow this?
>>>
>>> I’m thinking a bit about how I may be able to support it
before it becomes a
>>> feature, or if it’s something we would be able to contribute.
>>>
>>> ~ Scott
>>>
>>>
>>>
>>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com
<mailto:bburke@redhat.com> > wrote:
>>>
>>>
>>> We don't have this feature but it is something that some key
customers
>>> want. I would say we would get to it sometime this summer.
>>>
>>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>>> Hi,
>>>>
>>>> We’re looking for the best way to support having one user,
such as an
>>>> admin, have the ability to impersonate another user. I don’t
see a
>>>> simple way to do this with Keycloak at the moment.
>>>>
>>>> Would you mind letting me know if this is on the roadmap - I
didn’t see
>>>> a JIRA - or if you have any recommendations on implementing
such behavior.
>>>>
>>>> Thanks,
>>>> Scott
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:43 a.m.
IMO impersonation shouldn't be done at the SSO level, it should be for a specific
application and we should just have a endpoint that allows "swapping" a token
for an admin user for a token for a different user.
To invoke the endpoint you'd have to have a token for an admin user with a special
'impersonate' role. We also need to some way of controlling what roles can be
impersonated. That could be done by having a impersonate application where it's
possible to set scope.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Scott Rossillo" <srossillo(a)smartling.com>, "Raghu
Prabhala" <prabhalar(a)yahoo.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 9 April, 2015 9:23:43 AM
Subject: Re: [keycloak-user] Impersonate User
This is very similar to how I've implemented impersonation in GateIn portal.
Basically the session wrapped the "admin" session and after logout, the
admin session was restored back. So admin wasn't logged-out, but he was able
to continue with his session in exactly same state like before
impersonation.
But for the Keycloak, it will be very tricky to support this as Keycloak is
SSO and admin is already logged to some applications before he started
impersonation session. So for support of save/restore the admin session, we
would need to implement the "stack" for the UserSession on auth-server but
also for all the application sessions. This might be possible (but quite
tricky) for servlet adapters, but I am not seeing how to properly support it
for JS adapter...
In shortcut, it seems that we would really need to logout original admin
session and then login as impersonated user. For audit purpose, we will have
info that session is impersonated, but IMO we will not be able to restore
original admin session back to the state before impersonation.
Marek
On 8.4.2015 16:56, Scott Rossillo wrote:
One thing I've seen done with Spring Security (custom code) is to implement
the impersonation as a "stack." An admin impersonating another user gets
pushed instead of logged out and when the impersonated user is logged out,
the admin is popped and re-becomes the principal. This may be much more
complex with distributed security, but the pseudo code of the token would be
something like:
public class KeycloakSecurityContext {
boolean isImpersonated;
KeycloakSecurityContext impersonatingContext;
}
This is obviously only one aspect but could be used by an application to know
if the user is impersonated, and who's doing the impersonating.
~ Scott
On Wed, Apr 8, 2015 at 10:17 AM, Raghu Prabhala < prabhalar(a)yahoo.com >
wrote:
Jumping in with my requirements as Impersonation is a very sensitive issue.
It has to be read only and clearly indicated in both gui and audit engine(
logs). We typically require both the admin and user information populated
for audit purposes which means that the admin should not be logged out.
Sent from my iPhone
> On Apr 8, 2015, at 9:55 AM, Bill Burke < bburke(a)redhat.com > wrote:
>
> I worry a bit about how this can be exploited. I think it might need to
> be its own service that
>
> 1. checks and verifies the admin is logged in (via the cookie)
> 2. Re-authenticates the admin manually
> 3. Logouts out the admin and logins him in as impersonated user.
>
> There might be other sensitive areas/features where we might want to
> require manual re-authentication before.
>
> Also, we might also want to add information to the id/access tokens and
> saml assertions for auditing purposes so that clients know that the user
> is being impersonated.
>
> FYI, I know this is a must-have feature in order for Red Hat IT to use us.
>
>
>> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
>> I would say an admin would need a special role as well as having all the
>> roles of the user the admin wants to impersonate.
>>
>> That's the simple part, second part would be to let an admin login as
>> another user. Maybe that could be done with a query param to the
>> authorization endpoint, for example:
>>
>>
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>>
>> Would also be good to have a enable/disable option for this feature for a
>> realm.
>>
>> ----- Original Message -----
>>> From: "Scott Rossillo" < srossillo(a)smartling.com >
>>> To: "Bill Burke" < bburke(a)redhat.com >
>>> Cc: keycloak-user(a)lists.jboss.org
>>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>>> Subject: Re: [keycloak-user] Impersonate User
>>>
>>> Thanks.
>>>
>>> Out of curiosity, how do you see this being implemented? Would a user who
>>> can
>>> impersonate another have a specific role to allow this?
>>>
>>> I’m thinking a bit about how I may be able to support it before it
>>> becomes a
>>> feature, or if it’s something we would be able to contribute.
>>>
>>> ~ Scott
>>>
>>>
>>>
>>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com >
wrote:
>>>
>>>
>>> We don't have this feature but it is something that some key customers
>>> want. I would say we would get to it sometime this summer.
>>>
>>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>>> Hi,
>>>>
>>>> We’re looking for the best way to support having one user, such as an
>>>> admin, have the ability to impersonate another user. I don’t see a
>>>> simple way to do this with Keycloak at the moment.
>>>>
>>>> Would you mind letting me know if this is on the roadmap - I didn’t see
>>>> a JIRA - or if you have any recommendations on implementing such
>>>> behavior.
>>>>
>>>> Thanks,
>>>> Scott
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:38 a.m.
I think you should ask the users what they want instead of assuming that
only impersonating per application is the way to go. There's certainly
a lot of different features we could implement around this, but
unfortunately there's only so much time to do them.
On 4/9/2015 6:43 AM, Stian Thorgersen wrote:
IMO impersonation shouldn't be done at the SSO level, it should
be for a specific application and we should just have a endpoint that allows
"swapping" a token for an admin user for a token for a different user.
To invoke the endpoint you'd have to have a token for an admin user with a special
'impersonate' role. We also need to some way of controlling what roles can be
impersonated. That could be done by having a impersonate application where it's
possible to set scope.
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: "Scott Rossillo" <srossillo(a)smartling.com>, "Raghu
Prabhala" <prabhalar(a)yahoo.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 9 April, 2015 9:23:43 AM
> Subject: Re: [keycloak-user] Impersonate User
>
> This is very similar to how I've implemented impersonation in GateIn portal.
> Basically the session wrapped the "admin" session and after logout, the
> admin session was restored back. So admin wasn't logged-out, but he was able
> to continue with his session in exactly same state like before
> impersonation.
>
> But for the Keycloak, it will be very tricky to support this as Keycloak is
> SSO and admin is already logged to some applications before he started
> impersonation session. So for support of save/restore the admin session, we
> would need to implement the "stack" for the UserSession on auth-server but
> also for all the application sessions. This might be possible (but quite
> tricky) for servlet adapters, but I am not seeing how to properly support it
> for JS adapter...
>
> In shortcut, it seems that we would really need to logout original admin
> session and then login as impersonated user. For audit purpose, we will have
> info that session is impersonated, but IMO we will not be able to restore
> original admin session back to the state before impersonation.
>
> Marek
>
>
> On 8.4.2015 16:56, Scott Rossillo wrote:
>
>
>
> One thing I've seen done with Spring Security (custom code) is to implement
> the impersonation as a "stack." An admin impersonating another user gets
> pushed instead of logged out and when the impersonated user is logged out,
> the admin is popped and re-becomes the principal. This may be much more
> complex with distributed security, but the pseudo code of the token would be
> something like:
>
> public class KeycloakSecurityContext {
> boolean isImpersonated;
> KeycloakSecurityContext impersonatingContext;
> }
>
> This is obviously only one aspect but could be used by an application to know
> if the user is impersonated, and who's doing the impersonating.
>
> ~ Scott
>
>
> On Wed, Apr 8, 2015 at 10:17 AM, Raghu Prabhala < prabhalar(a)yahoo.com >
> wrote:
>
>
> Jumping in with my requirements as Impersonation is a very sensitive issue.
> It has to be read only and clearly indicated in both gui and audit engine(
> logs). We typically require both the admin and user information populated
> for audit purposes which means that the admin should not be logged out.
>
> Sent from my iPhone
>
>> On Apr 8, 2015, at 9:55 AM, Bill Burke < bburke(a)redhat.com > wrote:
>>
>> I worry a bit about how this can be exploited. I think it might need to
>> be its own service that
>>
>> 1. checks and verifies the admin is logged in (via the cookie)
>> 2. Re-authenticates the admin manually
>> 3. Logouts out the admin and logins him in as impersonated user.
>>
>> There might be other sensitive areas/features where we might want to
>> require manual re-authentication before.
>>
>> Also, we might also want to add information to the id/access tokens and
>> saml assertions for auditing purposes so that clients know that the user
>> is being impersonated.
>>
>> FYI, I know this is a must-have feature in order for Red Hat IT to use us.
>>
>>
>>> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
>>> I would say an admin would need a special role as well as having all the
>>> roles of the user the admin wants to impersonate.
>>>
>>> That's the simple part, second part would be to let an admin login as
>>> another user. Maybe that could be done with a query param to the
>>> authorization endpoint, for example:
>>>
>>>
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>>>
>>> Would also be good to have a enable/disable option for this feature for a
>>> realm.
>>>
>>> ----- Original Message -----
>>>> From: "Scott Rossillo" < srossillo(a)smartling.com >
>>>> To: "Bill Burke" < bburke(a)redhat.com >
>>>> Cc: keycloak-user(a)lists.jboss.org
>>>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>>>> Subject: Re: [keycloak-user] Impersonate User
>>>>
>>>> Thanks.
>>>>
>>>> Out of curiosity, how do you see this being implemented? Would a user
who
>>>> can
>>>> impersonate another have a specific role to allow this?
>>>>
>>>> I’m thinking a bit about how I may be able to support it before it
>>>> becomes a
>>>> feature, or if it’s something we would be able to contribute.
>>>>
>>>> ~ Scott
>>>>
>>>>
>>>>
>>>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com >
wrote:
>>>>
>>>>
>>>> We don't have this feature but it is something that some key
customers
>>>> want. I would say we would get to it sometime this summer.
>>>>
>>>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>>>> Hi,
>>>>>
>>>>> We’re looking for the best way to support having one user, such as
an
>>>>> admin, have the ability to impersonate another user. I don’t see a
>>>>> simple way to do this with Keycloak at the moment.
>>>>>
>>>>> Would you mind letting me know if this is on the roadmap - I didn’t
see
>>>>> a JIRA - or if you have any recommendations on implementing such
>>>>> behavior.
>>>>>
>>>>> Thanks,
>>>>> Scott
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:54 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, 9 April, 2015 2:38:01 PM
Subject: Re: [keycloak-user] Impersonate User
I think you should ask the users what they want instead of assuming that
only impersonating per application is the way to go. There's certainly
a lot of different features we could implement around this, but
unfortunately there's only so much time to do them.
I'm not assuming anything I'm just giving my opinion. Besides, we should not
always just do exactly what users asks for, we should rather make sure we understand their
requirements and come up with good solutions that works for Keycloak and them.
I'm sure there's situations where a SSO level impersonation would be more
convinient. However, a token swap service like I suggested would be much simpler to
implement and a lot less risky as well. We should add a token swap service in either case
to allow for example downgrading tokens for chained services.
On 4/9/2015 6:43 AM, Stian Thorgersen wrote:
> IMO impersonation shouldn't be done at the SSO level, it should be for a
> specific application and we should just have a endpoint that allows
> "swapping" a token for an admin user for a token for a different user.
>
> To invoke the endpoint you'd have to have a token for an admin user with a
> special 'impersonate' role. We also need to some way of controlling what
> roles can be impersonated. That could be done by having a impersonate
> application where it's possible to set scope.
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com>
>> To: "Scott Rossillo" <srossillo(a)smartling.com>, "Raghu
Prabhala"
>> <prabhalar(a)yahoo.com>
>> Cc: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 9 April, 2015 9:23:43 AM
>> Subject: Re: [keycloak-user] Impersonate User
>>
>> This is very similar to how I've implemented impersonation in GateIn
>> portal.
>> Basically the session wrapped the "admin" session and after logout,
the
>> admin session was restored back. So admin wasn't logged-out, but he was
>> able
>> to continue with his session in exactly same state like before
>> impersonation.
>>
>> But for the Keycloak, it will be very tricky to support this as Keycloak
>> is
>> SSO and admin is already logged to some applications before he started
>> impersonation session. So for support of save/restore the admin session,
>> we
>> would need to implement the "stack" for the UserSession on auth-server
but
>> also for all the application sessions. This might be possible (but quite
>> tricky) for servlet adapters, but I am not seeing how to properly support
>> it
>> for JS adapter...
>>
>> In shortcut, it seems that we would really need to logout original admin
>> session and then login as impersonated user. For audit purpose, we will
>> have
>> info that session is impersonated, but IMO we will not be able to restore
>> original admin session back to the state before impersonation.
>>
>> Marek
>>
>>
>> On 8.4.2015 16:56, Scott Rossillo wrote:
>>
>>
>>
>> One thing I've seen done with Spring Security (custom code) is to
>> implement
>> the impersonation as a "stack." An admin impersonating another user
gets
>> pushed instead of logged out and when the impersonated user is logged out,
>> the admin is popped and re-becomes the principal. This may be much more
>> complex with distributed security, but the pseudo code of the token would
>> be
>> something like:
>>
>> public class KeycloakSecurityContext {
>> boolean isImpersonated;
>> KeycloakSecurityContext impersonatingContext;
>> }
>>
>> This is obviously only one aspect but could be used by an application to
>> know
>> if the user is impersonated, and who's doing the impersonating.
>>
>> ~ Scott
>>
>>
>> On Wed, Apr 8, 2015 at 10:17 AM, Raghu Prabhala < prabhalar(a)yahoo.com >
>> wrote:
>>
>>
>> Jumping in with my requirements as Impersonation is a very sensitive
>> issue.
>> It has to be read only and clearly indicated in both gui and audit engine(
>> logs). We typically require both the admin and user information populated
>> for audit purposes which means that the admin should not be logged out.
>>
>> Sent from my iPhone
>>
>>> On Apr 8, 2015, at 9:55 AM, Bill Burke < bburke(a)redhat.com > wrote:
>>>
>>> I worry a bit about how this can be exploited. I think it might need to
>>> be its own service that
>>>
>>> 1. checks and verifies the admin is logged in (via the cookie)
>>> 2. Re-authenticates the admin manually
>>> 3. Logouts out the admin and logins him in as impersonated user.
>>>
>>> There might be other sensitive areas/features where we might want to
>>> require manual re-authentication before.
>>>
>>> Also, we might also want to add information to the id/access tokens and
>>> saml assertions for auditing purposes so that clients know that the user
>>> is being impersonated.
>>>
>>> FYI, I know this is a must-have feature in order for Red Hat IT to use
>>> us.
>>>
>>>
>>>> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
>>>> I would say an admin would need a special role as well as having all
the
>>>> roles of the user the admin wants to impersonate.
>>>>
>>>> That's the simple part, second part would be to let an admin login
as
>>>> another user. Maybe that could be done with a query param to the
>>>> authorization endpoint, for example:
>>>>
>>>>
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>>>>
>>>> Would also be good to have a enable/disable option for this feature for
>>>> a
>>>> realm.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Scott Rossillo" < srossillo(a)smartling.com >
>>>>> To: "Bill Burke" < bburke(a)redhat.com >
>>>>> Cc: keycloak-user(a)lists.jboss.org
>>>>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>>>>> Subject: Re: [keycloak-user] Impersonate User
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Out of curiosity, how do you see this being implemented? Would a
user
>>>>> who
>>>>> can
>>>>> impersonate another have a specific role to allow this?
>>>>>
>>>>> I’m thinking a bit about how I may be able to support it before it
>>>>> becomes a
>>>>> feature, or if it’s something we would be able to contribute.
>>>>>
>>>>> ~ Scott
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com
> wrote:
>>>>>
>>>>>
>>>>> We don't have this feature but it is something that some key
customers
>>>>> want. I would say we would get to it sometime this summer.
>>>>>
>>>>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We’re looking for the best way to support having one user, such
as an
>>>>>> admin, have the ability to impersonate another user. I don’t see
a
>>>>>> simple way to do this with Keycloak at the moment.
>>>>>>
>>>>>> Would you mind letting me know if this is on the roadmap - I
didn’t
>>>>>> see
>>>>>> a JIRA - or if you have any recommendations on implementing
such
>>>>>> behavior.
>>>>>>
>>>>>> Thanks,
>>>>>> Scott
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:07 a.m.
On 4/9/2015 8:54 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 9 April, 2015 2:38:01 PM
> Subject: Re: [keycloak-user] Impersonate User
>
> I think you should ask the users what they want instead of assuming that
> only impersonating per application is the way to go. There's certainly
> a lot of different features we could implement around this, but
> unfortunately there's only so much time to do them.
I'm not assuming anything I'm just giving my opinion. Besides, we should not
always just do exactly what users asks for, we should rather make sure we understand their
requirements and come up with good solutions that works for Keycloak and them.
I'm sure there's situations where a SSO level impersonation would be more
convinient. However, a token swap service like I suggested would be much simpler to
implement and a lot less risky as well. We should add a token swap service in either case
to allow for example downgrading tokens for chained services.
An STS approach would work great for REST services and non-web access,
but, what about web apps? Specifically the case where an admin or IT
support staff or developer wants to debug a problem a user is having.
They impersonate the user so that they can see exactly what is going wrong.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:46 a.m.
On 4/9/2015 9:07 AM, Bill Burke wrote:
On 4/9/2015 8:54 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 9 April, 2015 2:38:01 PM
>> Subject: Re: [keycloak-user] Impersonate User
>>
>> I think you should ask the users what they want instead of assuming that
>> only impersonating per application is the way to go. There's certainly
>> a lot of different features we could implement around this, but
>> unfortunately there's only so much time to do them.
> I'm not assuming anything I'm just giving my opinion. Besides, we should not
always just do exactly what users asks for, we should rather make sure we understand their
requirements and come up with good solutions that works for Keycloak and them.
>
> I'm sure there's situations where a SSO level impersonation would be more
convinient. However, a token swap service like I suggested would be much simpler to
implement and a lot less risky as well. We should add a token swap service in either case
to allow for example downgrading tokens for chained services.
>
An STS approach would work great for REST services and non-web access,
but, what about web apps? Specifically the case where an admin or IT
support staff or developer wants to debug a problem a user is having.
They impersonate the user so that they can see exactly what is going wrong.
Do we need to be the ones to solve that use case? The user can either
use a screen sharing application or give the admin his password. Maybe
that's good enough?
9:49 a.m.
Yeah, I am not sure if token swap service is sufficient..
IMO the admin might want to see (or edit) the account management on
behalf of particular user. But our account mgmt is secured by SSO
cookie, not token.
For web applications, the swapping of token would still require the
support on adapters. Basically if admin wants to impersonate as some
user in webapp, we still need to figure backup (or invalidation) of
admin HttpSession, so the web UI of impersonated session really looks
like UI of user and is not polished with some previous state from admin
session. The same would need to be solved for JS apps, but here it may
be even more tricky...
In shortcut, if we want to have something more usable and give to admin
the same experience like the impersonated user (including UI
experience), we may need to do impersonation at SSO level. And do
impersonation as logout of admin session and then SSO re-login of
impersonated user.
Marek
On 9.4.2015 15:07, Bill Burke wrote:
On 4/9/2015 8:54 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 9 April, 2015 2:38:01 PM
>> Subject: Re: [keycloak-user] Impersonate User
>>
>> I think you should ask the users what they want instead of assuming that
>> only impersonating per application is the way to go. There's certainly
>> a lot of different features we could implement around this, but
>> unfortunately there's only so much time to do them.
> I'm not assuming anything I'm just giving my opinion. Besides, we should not
always just do exactly what users asks for, we should rather make sure we understand their
requirements and come up with good solutions that works for Keycloak and them.
>
> I'm sure there's situations where a SSO level impersonation would be more
convinient. However, a token swap service like I suggested would be much simpler to
implement and a lot less risky as well. We should add a token swap service in either case
to allow for example downgrading tokens for chained services.
>
An STS approach would work great for REST services and non-web access,
but, what about web apps? Specifically the case where an admin or IT
support staff or developer wants to debug a problem a user is having.
They impersonate the user so that they can see exactly what is going wrong.
11:33 p.m.
True a separate service might be to much work for applications to implement.
How about just having a kc_impersonate query param available in auth endpoint? In that
case the adapter logs-out the current session, then redirects to auth endpoint with
kc_impersonate=<username>? That way your still impersonating a single app rather
than the whole SSO session and you can also have an option on each app to enable/disable
impersonation.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>, "Stian Thorgersen"
<stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 9 April, 2015 4:49:45 PM
Subject: Re: [keycloak-user] Impersonate User
Yeah, I am not sure if token swap service is sufficient..
IMO the admin might want to see (or edit) the account management on
behalf of particular user. But our account mgmt is secured by SSO
cookie, not token.
For web applications, the swapping of token would still require the
support on adapters. Basically if admin wants to impersonate as some
user in webapp, we still need to figure backup (or invalidation) of
admin HttpSession, so the web UI of impersonated session really looks
like UI of user and is not polished with some previous state from admin
session. The same would need to be solved for JS apps, but here it may
be even more tricky...
In shortcut, if we want to have something more usable and give to admin
the same experience like the impersonated user (including UI
experience), we may need to do impersonation at SSO level. And do
impersonation as logout of admin session and then SSO re-login of
impersonated user.
Marek
On 9.4.2015 15:07, Bill Burke wrote:
>
> On 4/9/2015 8:54 AM, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: keycloak-user(a)lists.jboss.org
>>> Sent: Thursday, 9 April, 2015 2:38:01 PM
>>> Subject: Re: [keycloak-user] Impersonate User
>>>
>>> I think you should ask the users what they want instead of assuming that
>>> only impersonating per application is the way to go. There's certainly
>>> a lot of different features we could implement around this, but
>>> unfortunately there's only so much time to do them.
>> I'm not assuming anything I'm just giving my opinion. Besides, we
should
>> not always just do exactly what users asks for, we should rather make
>> sure we understand their requirements and come up with good solutions
>> that works for Keycloak and them.
>>
>> I'm sure there's situations where a SSO level impersonation would be
more
>> convinient. However, a token swap service like I suggested would be much
>> simpler to implement and a lot less risky as well. We should add a token
>> swap service in either case to allow for example downgrading tokens for
>> chained services.
>>
> An STS approach would work great for REST services and non-web access,
> but, what about web apps? Specifically the case where an admin or IT
> support staff or developer wants to debug a problem a user is having.
> They impersonate the user so that they can see exactly what is going wrong.
>
>
>
9:50 a.m.
On 10.4.2015 06:33, Stian Thorgersen wrote:
True a separate service might be to much work for applications to
implement.
How about just having a kc_impersonate query param available in auth endpoint? In that
case the adapter logs-out the current session, then redirects to auth endpoint with
kc_impersonate=<username>? That way your still impersonating a single app rather
than the whole SSO session and you can also have an option on each app to enable/disable
impersonation.
If I understand correctly, it means that UserSession on auth-server
side
would be still the session of "admin", but we will need to track which
ClientSessions of this UserSession were impersonated. So the
impersonation will be tracked per ClientSession. Is it correct?
Refreshing token probably won't be a problem, as auth-server will know
which clientSession was impersonated and will be able to grant
accessToken for impersonated user.
One thing is, that adapters will need to support some kind of "local"
logout. As we will need to support logout on application side, but not
logout of corresponding userSession on auth-server though. So some
special logic on adapters might be still needed though...
Also it won't address the impersonation of account-management
application though, as this one is secured by our SSO cookie.
So not sure... I am probably still slightly more inclined to do it per
SSO;-)
Marek
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>, "Stian Thorgersen"
<stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 9 April, 2015 4:49:45 PM
> Subject: Re: [keycloak-user] Impersonate User
>
> Yeah, I am not sure if token swap service is sufficient..
>
> IMO the admin might want to see (or edit) the account management on
> behalf of particular user. But our account mgmt is secured by SSO
> cookie, not token.
>
> For web applications, the swapping of token would still require the
> support on adapters. Basically if admin wants to impersonate as some
> user in webapp, we still need to figure backup (or invalidation) of
> admin HttpSession, so the web UI of impersonated session really looks
> like UI of user and is not polished with some previous state from admin
> session. The same would need to be solved for JS apps, but here it may
> be even more tricky...
>
> In shortcut, if we want to have something more usable and give to admin
> the same experience like the impersonated user (including UI
> experience), we may need to do impersonation at SSO level. And do
> impersonation as logout of admin session and then SSO re-login of
> impersonated user.
>
> Marek
>
> On 9.4.2015 15:07, Bill Burke wrote:
>> On 4/9/2015 8:54 AM, Stian Thorgersen wrote:
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: keycloak-user(a)lists.jboss.org
>>>> Sent: Thursday, 9 April, 2015 2:38:01 PM
>>>> Subject: Re: [keycloak-user] Impersonate User
>>>>
>>>> I think you should ask the users what they want instead of assuming that
>>>> only impersonating per application is the way to go. There's
certainly
>>>> a lot of different features we could implement around this, but
>>>> unfortunately there's only so much time to do them.
>>> I'm not assuming anything I'm just giving my opinion. Besides, we
should
>>> not always just do exactly what users asks for, we should rather make
>>> sure we understand their requirements and come up with good solutions
>>> that works for Keycloak and them.
>>>
>>> I'm sure there's situations where a SSO level impersonation would be
more
>>> convinient. However, a token swap service like I suggested would be much
>>> simpler to implement and a lot less risky as well. We should add a token
>>> swap service in either case to allow for example downgrading tokens for
>>> chained services.
>>>
>> An STS approach would work great for REST services and non-web access,
>> but, what about web apps? Specifically the case where an admin or IT
>> support staff or developer wants to debug a problem a user is having.
>> They impersonate the user so that they can see exactly what is going wrong.
>>
>>
>>
>
7:15 a.m.
I've only worked on one application that required impersonation, but we
thought about the problem differently.
It was the corporate travel offering from Sabre. The problem was that
an administrative assistant needed to be able to book travel for one or
more executives. The assistant would not actually impersonate the user,
but the application simply knew who she was allowed to book travel for.
Therefore, impersonation was really more like composite roles that
included a user name (or a wildcard for "any user"). It was up to the
application to know what to do with the roles. It would present a
drop-down to select which user you were working on behalf of.
This way, you never require more than one login or logout. You are just
pushing all the complexity onto the application. But maybe that's
where it belongs.
On 4/9/2015 3:23 AM, Marek Posolda wrote:
This is very similar to how I've implemented impersonation in
GateIn
portal. Basically the session wrapped the "admin" session and after
logout, the admin session was restored back. So admin wasn't
logged-out, but he was able to continue with his session in exactly
same state like before impersonation.
But for the Keycloak, it will be very tricky to support this as
Keycloak is SSO and admin is already logged to some applications
before he started impersonation session. So for support of
save/restore the admin session, we would need to implement the "stack"
for the UserSession on auth-server but also for all the application
sessions. This might be possible (but quite tricky) for servlet
adapters, but I am not seeing how to properly support it for JS adapter...
In shortcut, it seems that we would really need to logout original
admin session and then login as impersonated user. For audit purpose,
we will have info that session is impersonated, but IMO we will not be
able to restore original admin session back to the state before
impersonation.
Marek
On 8.4.2015 16:56, Scott Rossillo wrote:
> One thing I've seen done with Spring Security (custom code) is to
> implement the impersonation as a "stack." An admin impersonating
> another user gets pushed instead of logged out and when the
> impersonated user is logged out, the admin is popped and re-becomes
> the principal. This may be much more complex with distributed
> security, but the pseudo code of the token would be something like:
>
> public class KeycloakSecurityContext {
> boolean isImpersonated;
> KeycloakSecurityContext impersonatingContext;
> }
>
> This is obviously only one aspect but could be used by an application
> to know if the user is impersonated, and who's doing the impersonating.
>
> ~ Scott
>
>
> On Wed, Apr 8, 2015 at 10:17 AM, Raghu Prabhala <prabhalar(a)yahoo.com
> <mailto:prabhalar@yahoo.com>> wrote:
>
> Jumping in with my requirements as Impersonation is a very
> sensitive issue. It has to be read only and clearly indicated in
> both gui and audit engine( logs). We typically require both the
> admin and user information populated for audit purposes which
> means that the admin should not be logged out.
>
> Sent from my iPhone
>
> > On Apr 8, 2015, at 9:55 AM, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
> >
> > I worry a bit about how this can be exploited. I think it
> might need to
> > be its own service that
> >
> > 1. checks and verifies the admin is logged in (via the cookie)
> > 2. Re-authenticates the admin manually
> > 3. Logouts out the admin and logins him in as impersonated user.
> >
> > There might be other sensitive areas/features where we might
> want to
> > require manual re-authentication before.
> >
> > Also, we might also want to add information to the id/access
> tokens and
> > saml assertions for auditing purposes so that clients know that
> the user
> > is being impersonated.
> >
> > FYI, I know this is a must-have feature in order for Red Hat IT
> to use us.
> >
> >
> >> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
> >> I would say an admin would need a special role as well as
> having all the roles of the user the admin wants to impersonate.
> >>
> >> That's the simple part, second part would be to let an admin
> login as another user. Maybe that could be done with a query
> param to the authorization endpoint, for example:
> >>
> >>
>
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
> >>
> >> Would also be good to have a enable/disable option for this
> feature for a realm.
> >>
> >> ----- Original Message -----
> >>> From: "Scott Rossillo" <srossillo(a)smartling.com
> <mailto:srossillo@smartling.com>>
> >>> To: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>
> >>> Cc: keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> >>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
> >>> Subject: Re: [keycloak-user] Impersonate User
> >>>
> >>> Thanks.
> >>>
> >>> Out of curiosity, how do you see this being implemented?
> Would a user who can
> >>> impersonate another have a specific role to allow this?
> >>>
> >>> I'm thinking a bit about how I may be able to support it
> before it becomes a
> >>> feature, or if it's something we would be able to contribute.
> >>>
> >>> ~ Scott
> >>>
> >>>
> >>>
> >>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke <
> bburke(a)redhat.com <mailto:bburke@redhat.com> > wrote:
> >>>
> >>>
> >>> We don't have this feature but it is something that some key
> customers
> >>> want. I would say we would get to it sometime this summer.
> >>>
> >>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
> >>>> Hi,
> >>>>
> >>>> We're looking for the best way to support having one user,
> such as an
> >>>> admin, have the ability to impersonate another user. I
don't
> see a
> >>>> simple way to do this with Keycloak at the moment.
> >>>>
> >>>> Would you mind letting me know if this is on the roadmap - I
> didn't see
> >>>> a JIRA - or if you have any recommendations on implementing
> such behavior.
> >>>>
> >>>> Thanks,
> >>>> Scott
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:26 a.m.
----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, 9 April, 2015 2:15:17 PM
Subject: Re: [keycloak-user] Impersonate User
I've only worked on one application that required impersonation, but we
thought about the problem differently.
It was the corporate travel offering from Sabre. The problem was that an
administrative assistant needed to be able to book travel for one or more
executives. The assistant would not actually impersonate the user, but the
application simply knew who she was allowed to book travel for. Therefore,
impersonation was really more like composite roles that included a user name
(or a wildcard for "any user"). It was up to the application to know what to
do with the roles. It would present a drop-down to select which user you
were working on behalf of.
This way, you never require more than one login or logout. You are just
pushing all the complexity onto the application. But maybe that's where it
belongs.
I totally agree - we can make life easier for app developers by providing a token swap
service like I suggested though ;)
On 4/9/2015 3:23 AM, Marek Posolda wrote:
This is very similar to how I've implemented impersonation in GateIn portal.
Basically the session wrapped the "admin" session and after logout, the
admin session was restored back. So admin wasn't logged-out, but he was able
to continue with his session in exactly same state like before
impersonation.
But for the Keycloak, it will be very tricky to support this as Keycloak is
SSO and admin is already logged to some applications before he started
impersonation session. So for support of save/restore the admin session, we
would need to implement the "stack" for the UserSession on auth-server but
also for all the application sessions. This might be possible (but quite
tricky) for servlet adapters, but I am not seeing how to properly support it
for JS adapter...
In shortcut, it seems that we would really need to logout original admin
session and then login as impersonated user. For audit purpose, we will have
info that session is impersonated, but IMO we will not be able to restore
original admin session back to the state before impersonation.
Marek
On 8.4.2015 16:56, Scott Rossillo wrote:
One thing I've seen done with Spring Security (custom code) is to implement
the impersonation as a "stack." An admin impersonating another user gets
pushed instead of logged out and when the impersonated user is logged out,
the admin is popped and re-becomes the principal. This may be much more
complex with distributed security, but the pseudo code of the token would be
something like:
public class KeycloakSecurityContext {
boolean isImpersonated;
KeycloakSecurityContext impersonatingContext;
}
This is obviously only one aspect but could be used by an application to know
if the user is impersonated, and who's doing the impersonating.
~ Scott
On Wed, Apr 8, 2015 at 10:17 AM, Raghu Prabhala < prabhalar(a)yahoo.com >
wrote:
Jumping in with my requirements as Impersonation is a very sensitive issue.
It has to be read only and clearly indicated in both gui and audit engine(
logs). We typically require both the admin and user information populated
for audit purposes which means that the admin should not be logged out.
Sent from my iPhone
> On Apr 8, 2015, at 9:55 AM, Bill Burke < bburke(a)redhat.com > wrote:
>
> I worry a bit about how this can be exploited. I think it might need to
> be its own service that
>
> 1. checks and verifies the admin is logged in (via the cookie)
> 2. Re-authenticates the admin manually
> 3. Logouts out the admin and logins him in as impersonated user.
>
> There might be other sensitive areas/features where we might want to
> require manual re-authentication before.
>
> Also, we might also want to add information to the id/access tokens and
> saml assertions for auditing purposes so that clients know that the user
> is being impersonated.
>
> FYI, I know this is a must-have feature in order for Red Hat IT to use us.
>
>
>> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
>> I would say an admin would need a special role as well as having all the
>> roles of the user the admin wants to impersonate.
>>
>> That's the simple part, second part would be to let an admin login as
>> another user. Maybe that could be done with a query param to the
>> authorization endpoint, for example:
>>
>>
/realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>>
>> Would also be good to have a enable/disable option for this feature for a
>> realm.
>>
>> ----- Original Message -----
>>> From: "Scott Rossillo" < srossillo(a)smartling.com >
>>> To: "Bill Burke" < bburke(a)redhat.com >
>>> Cc: keycloak-user(a)lists.jboss.org
>>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>>> Subject: Re: [keycloak-user] Impersonate User
>>>
>>> Thanks.
>>>
>>> Out of curiosity, how do you see this being implemented? Would a user who
>>> can
>>> impersonate another have a specific role to allow this?
>>>
>>> I’m thinking a bit about how I may be able to support it before it
>>> becomes a
>>> feature, or if it’s something we would be able to contribute.
>>>
>>> ~ Scott
>>>
>>>
>>>
>>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke(a)redhat.com >
wrote:
>>>
>>>
>>> We don't have this feature but it is something that some key customers
>>> want. I would say we would get to it sometime this summer.
>>>
>>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>>> Hi,
>>>>
>>>> We’re looking for the best way to support having one user, such as an
>>>> admin, have the ability to impersonate another user. I don’t see a
>>>> simple way to do this with Keycloak at the moment.
>>>>
>>>> Would you mind letting me know if this is on the roadmap - I didn’t see
>>>> a JIRA - or if you have any recommendations on implementing such
>>>> behavior.
>>>>
>>>> Thanks,
>>>> Scott
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:50 a.m.
I'm not sure yet. It would have to be a service that accepts a token,
verifies a role (as you suggest), ditches the current user's session
cookie and sets up themselves as the impersonated user.
On 4/7/2015 7:13 PM, Scott Rossillo wrote:
Thanks.
Out of curiosity, how do you see this being implemented? Would a user
who can impersonate another have a specific role to allow this?
I’m thinking a bit about how I may be able to support it before it
becomes a feature, or if it’s something we would be able to contribute.
~ Scott
On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
We don't have this feature but it is something that some key customers
want. I would say we would get to it sometime this summer.
On 4/7/2015 6:03 PM, Scott Rossillo wrote:
> Hi,
>
> We’re looking for the best way to support having one user, such as an
> admin, have the ability to impersonate another user. I don’t see a
> simple way to do this with Keycloak at the moment.
>
> Would you mind letting me know if this is on the roadmap - I
didn’t see
> a JIRA - or if you have any recommendations on implementing such
behavior.
>
> Thanks,
> Scott
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3558
days inactive
3564
days old
18 comments
6 participants
participants (6)
-
Bill Burke -
Marek Posolda -
Raghu Prabhala -
Scott Rossillo -
Stan Silvert -
Stian Thorgersen