Allow supporter to sign in as another user
We currently have an Identity server 4 application. Using entity framework core and asp .net identity.
We have a group of supporters who need to be able to access ou
-
We implemented an impersonation feature that is integrated into the browser-based sign in flow. If a user with permission chooses to sign in as another user then we add additional claims to their IDS4 authentication cookie which then supports issuing extra claims in the resulting token that reflect that it's an impersonation session and who the original actor is.
- Navigate to client application
- Sign in using whatever credentials
- Check if any impersonation permissions exist (how these are defined is entirely up to you)
- Prompt for impersonation account selection (or just continue as self)
- Sign in as the selected account (with record of original actor)
- Redirect to authorize endpoint
- Issue tokens and redirect back to client application
讨论(0) -
The problem with the user account is that it's not bound to one application. So by allowing others to login using the account, you give them also access to other applications. As a workaround you could use 'public' accounts, like engineer_01, engineer_02, etc.
But, this may not be necessary at all. What you really want IMO is to impersonate the user, instead of 'hacking' the account.
One way to do this, is to extend IdentityServer with a custom grant type using extension grants.
How this could work:
A signed-in user, who is allowed to impersonate users for the particular client/resource, requests an access token at the new impersonation endpoint.
The user sends the
subfrom the user to impersonate to the endpoint, where the user and (combination of ) sub are verified.When access is granted a new (short-lived) access token is returned which can be used to impersonate the user, without having to know the credentials of the user.
The access token should contain information of the endpoint so it can be determined whether the user is impersonated.
讨论(0)
加载中...
- 热议问题