[keycloak-user] Impersonate User
Raghu Prabhala
prabhalar at yahoo.com
Wed Apr 8 10:17:02 EDT 2015
Jumping in with my requirements as Impersonation is a very sensitive issue. It has to be read only and clearly indicated in both gui and audit engine( logs). We typically require both the admin and user information populated for audit purposes which means that the admin should not be logged out.
Sent from my iPhone
> On Apr 8, 2015, at 9:55 AM, Bill Burke <bburke at redhat.com> wrote:
>
> I worry a bit about how this can be exploited. I think it might need to
> be its own service that
>
> 1. checks and verifies the admin is logged in (via the cookie)
> 2. Re-authenticates the admin manually
> 3. Logouts out the admin and logins him in as impersonated user.
>
> There might be other sensitive areas/features where we might want to
> require manual re-authentication before.
>
> Also, we might also want to add information to the id/access tokens and
> saml assertions for auditing purposes so that clients know that the user
> is being impersonated.
>
> FYI, I know this is a must-have feature in order for Red Hat IT to use us.
>
>
>> On 4/8/2015 12:53 AM, Stian Thorgersen wrote:
>> I would say an admin would need a special role as well as having all the roles of the user the admin wants to impersonate.
>>
>> That's the simple part, second part would be to let an admin login as another user. Maybe that could be done with a query param to the authorization endpoint, for example:
>>
>> /realms/myrealm/protocols/openid-connect/auth?...&kc_impersonate=<username>
>>
>> Would also be good to have a enable/disable option for this feature for a realm.
>>
>> ----- Original Message -----
>>> From: "Scott Rossillo" <srossillo at smartling.com>
>>> To: "Bill Burke" <bburke at redhat.com>
>>> Cc: keycloak-user at lists.jboss.org
>>> Sent: Wednesday, 8 April, 2015 1:13:19 AM
>>> Subject: Re: [keycloak-user] Impersonate User
>>>
>>> Thanks.
>>>
>>> Out of curiosity, how do you see this being implemented? Would a user who can
>>> impersonate another have a specific role to allow this?
>>>
>>> I’m thinking a bit about how I may be able to support it before it becomes a
>>> feature, or if it’s something we would be able to contribute.
>>>
>>> ~ Scott
>>>
>>>
>>>
>>> On Tue, Apr 7, 2015 at 6:06 PM, Bill Burke < bburke at redhat.com > wrote:
>>>
>>>
>>> We don't have this feature but it is something that some key customers
>>> want. I would say we would get to it sometime this summer.
>>>
>>>> On 4/7/2015 6:03 PM, Scott Rossillo wrote:
>>>> Hi,
>>>>
>>>> We’re looking for the best way to support having one user, such as an
>>>> admin, have the ability to impersonate another user. I don’t see a
>>>> simple way to do this with Keycloak at the moment.
>>>>
>>>> Would you mind letting me know if this is on the roadmap - I didn’t see
>>>> a JIRA - or if you have any recommendations on implementing such behavior.
>>>>
>>>> Thanks,
>>>> Scott
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list