[keycloak-dev] user impersonation committed
Bill Burke
bburke at redhat.com
Fri Jul 10 21:34:30 EDT 2015
Taking a break from auth flows for a fe and took a first stab at user
impersonation.
Go to:
/auth/realms/{realm}/impersonate
* There's a new "impersonation" role that is in the same "client" as
view-realm, view-user, etc... roles Both in master realm apps and in
the realm-management client.
* The admin role as this "impersonation" role in its composite
* After impersonation, you are redirected to Account applications page.
"Master" impersonate service:
* If you visit the "master" impersonate service of the master realm, you
will have a list of of realms to choose from based on which
"impersonation" roles the user has assigned to him
* If you impersonate a user from "master" you are logged out and a new
user session is created as the impersonated user.
* If you impersonate a user that is within a different realm than
"master", you are not logged out of master.
Per realm impersonate service.
* If you visit the impersonate service of another realm other than
"master", you will not have a list of realms and will only be able to
impersonate a user in that realm.
* When you impersonate, you are logged out and a new user session is
created for that user.
Questions:
* I implemented this similarly to the AccountService with a new
"impersonation" client. It is a freemarker form at the moment (csrf
protected)! I'm not 100% sure I can implement it within the admin
console. Gonna look into that next.
* Would it be useful to retain this freemarker form and impersonation
client? Or should it only be available within the admin console?
* What should it look like in the admin console? Just an "impersonate"
button on the User Detail page?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list