[keycloak-user] Impersonate User

Bill Burke bburke at redhat.com
Wed Apr 8 09:55:01 EDT 2015 

I worry a bit about how this can be exploited.  I think it might need to 
be its own service that

1. checks and verifies the admin is logged in (via the cookie)
2. Re-authenticates the admin manually
3. Logouts out the admin and logins him in as impersonated user.

There might be other sensitive areas/features where we might want to 
require manual re-authentication before.

Also, we might also want to add information to the id/access tokens and 
saml assertions for auditing purposes so that clients know that the user 
is being impersonated.

FYI, I know this is a must-have feature in order for Red Hat IT to use us.


On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
> I would say an admin would need a special role as well as having all the roles of the user the admin wants to impersonate.
>
> That's the simple part, second part would be to let an admin login as another user. Maybe that could be done with a query param to the authorization endpoint, for example:
>
>    /realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>
> Would also be good to have a enable/disable option for this feature for a realm.
>
> ----- Original Message -----
>> From: "Scott Rossillo" <srossillo at smartling.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>> Subject: Re: [keycloak-user] Impersonate User
>>
>> Thanks.
>>
>> Out of curiosity, how do you see this being implemented? Would a user who can
>> impersonate another have a specific role to allow this?
>>
>> I’m thinking a bit about how I may be able to support it before it becomes a
>> feature, or if it’s something we would be able to contribute.
>>
>> ~ Scott
>>
>>
>>
>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke at redhat.com > wrote:
>>
>>
>> We don't have this feature but it is something that some key customers
>> want. I would say we would get to it sometime this summer.
>>
>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>> Hi,
>>>
>>> We’re looking for the best way to support having one user, such as an
>>> admin, have the ability to impersonate another user. I don’t see a
>>> simple way to do this with Keycloak at the moment.
>>>
>>> Would you mind letting me know if this is on the roadmap - I didn’t see
>>> a JIRA - or if you have any recommendations on implementing such behavior.
>>>
>>> Thanks,
>>> Scott
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list