[keycloak-dev] user impersonation committed
srossillo at smartling.com
Fri Jul 10 22:04:45 EDT 2015
A few things:
1. Impersonation should be available via an admin endpoint. If I have the impersonation role, I should be able to make a call to impersonate another user.
2. It should be availabe in the admin console on the user details page and the list. I don’t think it makes sense to have to click into the user if you already found them in search results, etc.
3. What happens when user X decides to impersonate user Y and user X is already authenticated to clients? How does the impersonation for user X of user Y get propagated to clients? What happens on logout?
> On Jul 10, 2015, at 9:34 PM, Bill Burke <bburke at redhat.com> wrote:
> Taking a break from auth flows for a fe and took a first stab at user
> Go to:
> * There's a new "impersonation" role that is in the same "client" as
> view-realm, view-user, etc... roles Both in master realm apps and in
> the realm-management client.
> * The admin role as this "impersonation" role in its composite
> * After impersonation, you are redirected to Account applications page.
> "Master" impersonate service:
> * If you visit the "master" impersonate service of the master realm, you
> will have a list of of realms to choose from based on which
> "impersonation" roles the user has assigned to him
> * If you impersonate a user from "master" you are logged out and a new
> user session is created as the impersonated user.
> * If you impersonate a user that is within a different realm than
> "master", you are not logged out of master.
> Per realm impersonate service.
> * If you visit the impersonate service of another realm other than
> "master", you will not have a list of realms and will only be able to
> impersonate a user in that realm.
> * When you impersonate, you are logged out and a new user session is
> created for that user.
> * I implemented this similarly to the AccountService with a new
> "impersonation" client. It is a freemarker form at the moment (csrf
> protected)! I'm not 100% sure I can implement it within the admin
> console. Gonna look into that next.
> * Would it be useful to retain this freemarker form and impersonation
> client? Or should it only be available within the admin console?
> * What should it look like in the admin console? Just an "impersonate"
> button on the User Detail page?
> Bill Burke
> JBoss, a division of Red Hat
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev