[keycloak-dev] user impersonation committed

Bill Burke bburke at redhat.com
Fri Jul 10 21:34:30 EDT 2015

Taking a break from auth flows for a fe and took a first stab at user 

Go to:


* There's a new "impersonation" role that is in the same "client" as 
view-realm, view-user, etc... roles  Both in master realm apps and in 
the realm-management client.
* The admin role as this "impersonation" role in its composite
* After impersonation, you are redirected to Account applications page.

"Master" impersonate service:

* If you visit the "master" impersonate service of the master realm, you 
will have a list of of realms to choose from based on which 
"impersonation" roles the user has assigned to him
* If you impersonate a user from "master" you are logged out and a new 
user session is created as the impersonated user.
* If you impersonate a user that is within a different realm than 
"master", you are not logged out of master.

Per realm impersonate service.
* If you visit the impersonate service of another realm other than 
"master", you will not have a list of realms and will only be able to 
impersonate a user in that realm.
* When you impersonate, you are logged out and a new user session is 
created for that user.

* I implemented this similarly to the AccountService with a new 
"impersonation" client.  It is a freemarker form at the moment (csrf 
protected)!  I'm not 100% sure I can implement it within the admin 
console.  Gonna look into that next.
* Would it be useful to retain this freemarker form and impersonation 
client?  Or should it only be available within the admin console?
* What should it look like in the admin console?  Just an "impersonate" 
button on the User Detail page?

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list