[keycloak-dev] user impersonation committed

Bill Burke bburke at redhat.com
Fri Jul 10 22:43:49 EDT 2015

On 7/10/2015 10:04 PM, Scott Rossillo wrote:
> A few things:
> 1. Impersonation should be available via an admin endpoint. If I have the impersonation role, I should be able to make a call to impersonate another user.

I've only implemented browser impersonation (cookies).  There is no 
token exchange at the moment.

> 2. It should be availabe in the admin console on the user details page and the list. I don’t think it makes sense to have to click into the user if you already found them in search results, etc.


> 3. What happens when user X decides to impersonate user Y and user X is already authenticated to clients? How does the impersonation for user X of user Y get propagated to clients? What happens on logout?

If User X and User Y are in the same realm, then User X will first be 
logged out (and a backchannel logout performed on all clients), then 
logged in as User Y.  The plan is to redirect to the Account 
Applications page.

If User X and User Y are in different realms, then User X stays logged 
in.  I'm thinking that a new tab would be opened that is redirected to 
Account Applications page.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list