Login/Register
ASP.NET Core Identity impersonate specific user
Asked Answered
Solved c#impersonationclaims-based-identityasp.net-core-1.1asp.net-core-identity
T

1

8

Let's say I have the following roles:

  1. Admin

  2. User

I want Admin role to impersonate specific user account with User role, but without knowing that specific user account's password.

Admin should be able to impersonate any user from the application and be able to browse the application as the user himself. I found a link where this is actually implemented in ASP.NET MVC 4.6, but having a little headaches while converting this to Core version.

Mostly because of the last line of code in the link 

authenticationManager.SignIn(new AuthenticationProperties() 
{ IsPersistent = false }, impersonatedIdentity);

where SignIn parameter in .NET Core does not allow IdentityResult class (impersonatedIdentity) to be passed anymore. It can now only take ClaimsPrincipal.

So what I ended up doing was this, 

public async Task<IActionResult> ImpersonateUserAsync(string userName)
    { 
        var impersonatedUser = await _userManager.FindByNameAsync(userName);         

        var claims = new List<Claim> {
            new Claim(ClaimTypes.Name, impersonatedUser.FirstName, ClaimValueTypes.String),
            new Claim(ClaimTypes.Surname, impersonatedUser.LastName, ClaimValueTypes.String),
            new Claim(ClaimTypes.Email, impersonatedUser.Email, ClaimValueTypes.String)
        };

        var user = new ClaimsPrincipal(new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme));

        var authenticationManager = _httpContextAccessor.HttpContext.Authentication;
        await authenticationManager.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
        await authenticationManager.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, user, new AuthenticationProperties() { IsPersistent = false });

        return RedirectToAction("Index", "Home");
    }

I populated necessary claims and passed it to ClaimsPrincipal so SignInAsync can now take var user. However, this seems like I am not actually logging in as the user found in AspNetUsers table who has the role and privileges previously assigned by the Admin role. To be honest, I was expecting above code to at least sign-in as the Name and Surname I defined in var claims, but in fact I am still logged-in as the admin account after I'm redirected to Index page.

What are the proper steps I need to take in order to sign-in as the user account defined in AspNetUsers table so the Admin would be able to browse the application as the user himself?

Thurnau answered 31/5, 2017 at 17:6 Comment(4)
First, be VERY careful about implementing this kind of functionality, as it could open you up to legal liability, especially if you deal with credit card information or health information. Second, you need to provide some auditing capability that indicates that a user was impersonated, so that it can be proven if it was the real user of an impersonated user that did something.Practise
Thanks for your advice, but we have already made an agreement with the clients so don't worry about it. Any idea/approach to solve the issue here?Thurnau
Have you tried the solution here: https://mcmap.net/q/169231/-how-do-i-use-asp-net-identity-2-0-to-allow-a-user-to-impersonate-another-user - Note that this uses SigninManager, not AuthenticationManager.Practise
Thanks I will take a look at it.Thurnau
S
13

There is a blog post about impersonation in Asp.Net Core HERE. I am just searching for such a solution, so I have not tried implementing it yet. However it seems you are on the right track. There are only slight differences between your code and Max's.

Basically you need to replace the cookie at the browser side. So, for the next request the server "thinks" its someone else logged in. At least that's what I understood so far. This is why you better save the original identity in the cookie as well, thus you could switch back to the original user when needed.

I get back when I have a working solutions anyway.

Schiedam answered 22/11, 2017 at 22:16 Comment(1)
How did it go? Mind explaining the blog link?Difficile

© 2022 - 2024 — McMap. All rights reserved.