[keycloak-user] Impersonate User
Stan Silvert
ssilvert at redhat.com
Thu Apr 9 10:46:48 EDT 2015
On 4/9/2015 9:07 AM, Bill Burke wrote:
>
> On 4/9/2015 8:54 AM, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Thursday, 9 April, 2015 2:38:01 PM
>>> Subject: Re: [keycloak-user] Impersonate User
>>>
>>> I think you should ask the users what they want instead of assuming that
>>> only impersonating per application is the way to go. There's certainly
>>> a lot of different features we could implement around this, but
>>> unfortunately there's only so much time to do them.
>> I'm not assuming anything I'm just giving my opinion. Besides, we should not always just do exactly what users asks for, we should rather make sure we understand their requirements and come up with good solutions that works for Keycloak and them.
>>
>> I'm sure there's situations where a SSO level impersonation would be more convinient. However, a token swap service like I suggested would be much simpler to implement and a lot less risky as well. We should add a token swap service in either case to allow for example downgrading tokens for chained services.
>>
> An STS approach would work great for REST services and non-web access,
> but, what about web apps? Specifically the case where an admin or IT
> support staff or developer wants to debug a problem a user is having.
> They impersonate the user so that they can see exactly what is going wrong.
>
>
>
Do we need to be the ones to solve that use case? The user can either
use a screen sharing application or give the admin his password. Maybe
that's good enough?
More information about the keycloak-user
mailing list