Login/Register
Auth0 impersonation deprecated.. What should I use instead?
Asked Answered
Solved reactjsapiaccess-tokenauth0impersonation
P

2

22

On our website, administrators should be able to view the website as the user (client). I planned on using Auth0 for this, and just noticed their impersonation feature is deprecated.

I could force some login flag in Redux to allow the admin to view as the user, however, to get any of the user's data from the API I'm grabbing the user's ID from the access token generated by Auth0 during login. So the API will only get data from the currently logged in user's access token.

Does anybody know of any ways to impersonate a user given this? I think I've enforced a limitation on my API by parsing the user's ID from the access token to get any of that user's data, correct me if I'm wrong.

The only way I could think of is if the admin is "viewing as" the user, it can pass the user's ID in the API call. And in the controller I could check that user ID field exists and use it instead of the current logged in user, but I don't think passing user IDs around is a good idea. Perhaps I could add a middleware on every request, and if that user ID exists in the API call, I could check the role of that user to ensure it's an admin which would validate the request.

What do you think? Any other ideas / critiques on this method?

Thanks!!

Propolis answered 5/10, 2018 at 17:30 Comment(1)
I would like to add if you have come to a limitation where you need to pass around the UserId, you can safely hash it with something like md5(sha1(userId)) so that a normal person won't read it. you can use it in the query like SELECT * FROM user WHERE MD5(SHA1(userId)) = ?. It's safe and it works for me.Parallelize
V
3

I think you can achieve this without passing the user ID in API call as it not secure to do so.

If your admin wants to view website as your client. And if you want user ID for fetching the user data. Then you can add user ID in field called metadata provided by auth0. And add the metadata field in access token using rules.

So basically you would get the user ID from your access token only as you do in general case.

Now in your controller check, whether the access token has user ID, if you find any, use that ID to get other data.

Following this approach you do not need to pass any additional data and everything would be handled using access token only.

For more secured approach, in controller along with above mentioned check, you can check for the role also to verify that it has admin role.

for adding the rule in auth0, Here is the code that you need to use:

function (user, context, callback) {
// The currently requested scopes can be accessed as follows:
// context.request.query.scope.match(/\S+/g)
//add the following line in this function additionally.
context.accessToken['metadata'] = user.user_metadata;
callback(null, user, context);
}
Voyage answered 23/6, 2020 at 12:55 Comment(0)
A
0

Impersonation usually works with non-sensitive data. You could for example take the public username or an email address along with the admin user's session to create an impersonated session. Your API can take the request from there verifying the permission of the aadmin-user-session-key, validate the impersonatable-username and finally return a new impersonated session. Example request:

{
   session: '<admin-user-session-key>',
   username: '<impersonatable-username>'
}
Adrienadriena answered 22/6, 2020 at 15:55 Comment(5)
I have trouble to follow what you are trying to explain. I have a SPA with a backend. What would be the flow?Sharonsharona
1. Admin successfully retrieves a session by logging in to your backend 2. Admin sends its own session + username of the impersonated user to your backend. Backend response with a new session signed for the impersonated user.Adrienadriena
I guess, what you are proposing would not be possible, as they are using auth0 for login, So backend could not respond with a new session. Sessions are managed by auth0 managing the token.Voyage
> „I thought about using Auth0.“ he isn’t using Auth0 yet and for this particular case I wouldn’t also suggest him soAdrienadriena
Even if the sessions would be managed by auth0. The backend can request the session from auth0 as proxy of the request.Adrienadriena

© 2022 - 2024 — McMap. All rights reserved.