Allow supporter to sign in as another user

Question

We currently have an Identity server 4 application. Using entity framework core and asp .net identity.

We have a group of supporters who need to be able to access ou

Answer 1

The problem with the user account is that it's not bound to one application. So by allowing others to login using the account, you give them also access to other applications. As a workaround you could use 'public' accounts, like engineer_01, engineer_02, etc.

But, this may not be necessary at all. What you really want IMO is to impersonate the user, instead of 'hacking' the account.

One way to do this, is to extend IdentityServer with a custom grant type using extension grants.

How this could work:

A signed-in user, who is allowed to impersonate users for the particular client/resource, requests an access token at the new impersonation endpoint.

The user sends the sub from the user to impersonate to the endpoint, where the user and (combination of ) sub are verified.

When access is granted a new (short-lived) access token is returned which can be used to impersonate the user, without having to know the credentials of the user.

The access token should contain information of the endpoint so it can be determined whether the user is impersonated.