[keycloak-dev] user impersonation committed

Scott Rossillo srossillo at smartling.com
Fri Jul 10 22:04:45 EDT 2015

A few things:

1. Impersonation should be available via an admin endpoint. If I have the impersonation role, I should be able to make a call to impersonate another user.
2. It should be availabe in the admin console on the user details page and the list. I don’t think it makes sense to have to click into the user if you already found them in search results, etc.
3. What happens when user X decides to impersonate user Y and user X is already authenticated to clients? How does the impersonation for user X of user Y get propagated to clients? What happens on logout?

> On Jul 10, 2015, at 9:34 PM, Bill Burke <bburke at redhat.com> wrote:
> Taking a break from auth flows for a fe and took a first stab at user 
> impersonation.
> Go to:
> /auth/realms/{realm}/impersonate
> * There's a new "impersonation" role that is in the same "client" as 
> view-realm, view-user, etc... roles  Both in master realm apps and in 
> the realm-management client.
> * The admin role as this "impersonation" role in its composite
> * After impersonation, you are redirected to Account applications page.
> "Master" impersonate service:
> * If you visit the "master" impersonate service of the master realm, you 
> will have a list of of realms to choose from based on which 
> "impersonation" roles the user has assigned to him
> * If you impersonate a user from "master" you are logged out and a new 
> user session is created as the impersonated user.
> * If you impersonate a user that is within a different realm than 
> "master", you are not logged out of master.
> Per realm impersonate service.
> * If you visit the impersonate service of another realm other than 
> "master", you will not have a list of realms and will only be able to 
> impersonate a user in that realm.
> * When you impersonate, you are logged out and a new user session is 
> created for that user.
> Questions:
> * I implemented this similarly to the AccountService with a new 
> "impersonation" client.  It is a freemarker form at the moment (csrf 
> protected)!  I'm not 100% sure I can implement it within the admin 
> console.  Gonna look into that next.
> * Would it be useful to retain this freemarker form and impersonation 
> client?  Or should it only be available within the admin console?
> * What should it look like in the admin console?  Just an "impersonate" 
> button on the User Detail page?
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list