11:52 a.m.
Dears,
I need a help with user impersonation on keycloak.
I am authenticating users through the
"/realms/test/protocol/openid-connect/token". As expected, it returns a
token JWT.
In my app, all requests go through apiman, which validates the JWT.
Now, I need to personification of user. I'm calling the service
"/admin/realms/test/users/USER_ID/impersonation", sending the token in the
header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
The service /impersonation creates the user session on keycloak, however
doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified
user instead of cookie.* It's possible?
Best regards
Harry Costa
1:33 a.m.
The impersonation feature we have logs the admin in as the impersonated
user rather than generate tokens. We decided on this approach as it would
be transparent to applications and they wouldn't need to build-in special
impersonation. What you want is not possible at the moment, but you can
create a JIRA feature request for it. It would have to be a community
contribution if you want it added in a timely manner.
On 4 July 2016 at 18:52, Harry Trinta <harrytpc(a)gmail.com> wrote:
Dears,
I need a help with user impersonation on keycloak.
I am authenticating users through the
"/realms/test/protocol/openid-connect/token". As expected, it returns a
token JWT.
In my app, all requests go through apiman, which validates the JWT.
Now, I need to personification of user. I'm calling the service
"/admin/realms/test/users/USER_ID/impersonation", sending the token in the
header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
The service /impersonation creates the user session on keycloak, however
doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of
personified user instead of cookie.* It's possible?
Best regards
Harry Costa
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:47 a.m.
Stian, thanks for the reply!
There is no service to retrieve a token passing the cookies as a parameter?
I was looking at TokenEndpoint.java, but I have not found a way.
Thanks
2016-07-05 3:33 GMT-03:00 Stian Thorgersen <sthorger(a)redhat.com>:
The impersonation feature we have logs the admin in as the
impersonated
user rather than generate tokens. We decided on this approach as it would
be transparent to applications and they wouldn't need to build-in special
impersonation. What you want is not possible at the moment, but you can
create a JIRA feature request for it. It would have to be a community
contribution if you want it added in a timely manner.
On 4 July 2016 at 18:52, Harry Trinta <harrytpc(a)gmail.com> wrote:
> Dears,
>
>
>
> I need a help with user impersonation on keycloak.
>
>
>
> I am authenticating users through the
> "/realms/test/protocol/openid-connect/token". As expected, it returns a
> token JWT.
>
> In my app, all requests go through apiman, which validates the JWT.
>
>
>
> Now, I need to personification of user. I'm calling the service
> "/admin/realms/test/users/USER_ID/impersonation", sending the token in the
> header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
>
> The service /impersonation creates the user session on keycloak, however
> doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of
> personified user instead of cookie.* It's possible?
>
>
>
> Best regards
>
> Harry Costa
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2:59 a.m.
The way it works is:
* Admin impersonate user
* SSO for browser is now switched to be authenticated as the user rather
than the admin
* Admin can now login to any application and would automatically be logged
in as the impersonated user
So it's transparent to the applications and they don't need to deal with
impersonation in a special way.
On 5 July 2016 at 14:47, Harry Trinta <harrytpc(a)gmail.com> wrote:
Stian, thanks for the reply!
There is no service to retrieve a token passing the cookies as a parameter?
I was looking at TokenEndpoint.java, but I have not found a way.
Thanks
2016-07-05 3:33 GMT-03:00 Stian Thorgersen <sthorger(a)redhat.com>:
> The impersonation feature we have logs the admin in as the impersonated
> user rather than generate tokens. We decided on this approach as it would
> be transparent to applications and they wouldn't need to build-in special
> impersonation. What you want is not possible at the moment, but you can
> create a JIRA feature request for it. It would have to be a community
> contribution if you want it added in a timely manner.
>
> On 4 July 2016 at 18:52, Harry Trinta <harrytpc(a)gmail.com> wrote:
>
>> Dears,
>>
>>
>>
>> I need a help with user impersonation on keycloak.
>>
>>
>>
>> I am authenticating users through the
>> "/realms/test/protocol/openid-connect/token". As expected, it returns
a
>> token JWT.
>>
>> In my app, all requests go through apiman, which validates the JWT.
>>
>>
>>
>> Now, I need to personification of user. I'm calling the service
>> "/admin/realms/test/users/USER_ID/impersonation", sending the token in
the
>> header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
>>
>> The service /impersonation creates the user session on keycloak, however
>> doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of
>> personified user instead of cookie.* It's possible?
>>
>>
>>
>> Best regards
>>
>> Harry Costa
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
2:41 p.m.
There are two ways of doing that now: Getting token via implicit flow
(introduced in 1.9.2) or via Token Exchange (introduced in 3.4.0). I've
described them both in
https://blog.softwaremill.com/who-am-i-keycloak-impersonation-api-bfe7aca...
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
2518
days inactive
3107
days old
4 comments
3 participants
participants (3)
-
bandrzejczak -
Harry Trinta -
Stian Thorgersen