IdentityServer4 - How to Implement Impersonation
Asked Answered
L

3

15

I have a requirement of allowing our internal support users to impersonate our customer users.

I'm currently using IdentityServer4, Implicit Flow and OIDC Client.

Resources found so far.

Given that there are limited resources online, are there any suggestions on how I can/should implement impersonation with IdentityServer4?

Langmuir answered 7/8, 2017 at 14:50 Comment(2)
Just my 2 cents if anyone out there knows how to implement this, but couldn't the IdentityServer4 server use it's self as a login provider, so that just like how you can authenticate with gmail/facebook/ect to get a user token, a superuser can authenticate and get a user token.Haletky
Something similar was asked here.Subtraction
C
5

How to do this

IdentityServer4 does not prescribe any authentication providers. It just acts as one itself for other OIDC clients. That's why you can use third-party login providers, local accounts and whatever else.

Create an ImpersonationController in your IdentityServer. Make sure, that only your administrators can access this page.

[Authorize(Policy = "CanImpersonate")]

Build a page, in which you can input a User ID, that the admin wants to impersonate. When posting that form with the intended User ID, use the SignInManager<> class to Sign in the current user.

You can even build a dropdown, what external login provider you'd like to impersonate with, if that is importatant to you. Use the ExternalLoginSignInAsync method, otherwise the plain SignInAsync(user, false) method.

You are then already signed in as that user on Identity Server. When your client applications request sign-in, IdentityServer will notice your "forged" session and will redirect back to the client immediately with your currently signed in account.

You are now impersonating that user in your client application and on IdentityServer.

If you SignOut on IdentityServer, you will be "promoted" again to your previously logged in account (if still signed in as different identity), or will need to sign in as your actual administrator account again.

What you need to be careful with

Side effects

This is obviously a topic for debate. I'm assuming you want to add this feature, so that you can reproduce user issues, or do some action as the user.

If you do this without users knowing, be very careful about side-effects of whatever actions are done during the impersonation. Are E-Mails sent, or similar notifications.

There is a lot of trust to be lost going this route.

Law

This is also a concern for privacy. Who is able to access the details. What details are revealed, when impersonating a user on your platform.

A recommendation

Don't impersonate users.

Implement a controlled way, in which your administrators can perform the required work. Then you have a consistant audit log, and whatever a signed in user does to your system, you can be sure that it was that user, and not your administrator impersonating that account.

Cookbook answered 19/2, 2020 at 17:50 Comment(0)
P
0

Probably wouldn't try to build an impersonation feature into the core IdentityServer4 libraries. You really just need a small data structure to hold your impersonated UserId and a service to check for that. It is a foundation feature that you application should be designed around.

Also consider, you may need superuser features that still present themselves even though you are impersonating (e.g. un-impersonate).

Parthenia answered 7/8, 2017 at 19:36 Comment(2)
Would it be safe to store the userid of the impersonated user among the claims of the authenticated user?Benedetto
I don’t think it would be unsafe, just not relevant to the authentication system, seems more a responsibility of the application in which impersonation is a featureParthenia
L
0

you can implement IResourceOwnerValidation and validate your support users in your own way. for example generate a code for specific user and give it to support user, then in your implementation check your password with that code too.

Lafontaine answered 25/2, 2020 at 11:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.