I have two sites https://www.somesite.com (user site) and https://admin.anothersite.com (admin site) and I am using Identity Server 3 for access control, this is hosted on https://identity.somesite.com.
The sites are configured in identity server as the same client (different redirect urls) with cookie based authentication. I’d like to provide a mechanism where users of the admin site can impersonate users of the user site.
I’ve seen that I can issue cookies using the IssueLoginCookie, but that call needs to be on the identity server, so given that it’s on another domain, I can’t see how that would work.
How can I go about supporting user impersonation in identity server?
Update
I now have the admin site generate a url like so:
var url = 'http://localhost:61826/connect/authorize'
+ '?state=' + encodeURIComponent(((Date.now() + Math.random()) * Math.random()).toString().replace(".", ""))
+ '&nonce=' + encodeURIComponent(((Date.now() + Math.random()) * Math.random()).toString().replace(".", ""))
+ '&client_id=mvc'
+ '&redirect_uri=' + encodeURIComponent('http://localhost:64822/')
+ '&scope=' + encodeURIComponent('openid profile roles api1')
+ '&acr_values=' + encodeURIComponent('loginas:3230')
+ '&response_type=' + encodeURIComponent('id_token token')
+ '&prompt=login';
window.location.href = url;
This allows me to pickup the login event in the PreAuthenticateAsync method on my custom IUserService and intercept the login. My current implementation is:
public override async Task PreAuthenticateAsync(PreAuthenticationContext context)
{
if (context.SignInMessage.AcrValues.Any(acr => acr.StartsWith("loginas:")))
{
// Would need to also ensure that the user has the relevant persmissions to impersonate another user
var subjectId = _owinContext.Authentication.User.GetSubjectId();
var login = new AuthenticatedLogin
{
Name = "Impersonating For Fun",
Subject = "3230",
Claims = new List<Claim>
{
new Claim(Constants.ClaimTypes.Subject, "3230")
},
PersistentLogin = true,
IdentityProvider = Constants.BuiltInIdentityProvider,
AuthenticationMethod = "Cookies"
};
_owinContext.Environment.IssueLoginCookie(login);
var impersonationClaims = new List<Claim>
{
new Claim("AdminUserId", subjectId)
};
context.AuthenticateResult = new AuthenticateResult("3230", "Impersonating For Fun", impersonationClaims);
}
await Task.FromResult(0);
}
The user is not shown the login page and is correctly redirected to the target url. However, the user has not changed to the new user, but rather remains as the original user. What am I missing?