Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Auth0 impersonation deprecated.. What should I use instead?

Tags:

reactjs

access-token

api

auth0

impersonation

On our website, administrators should be able to view the website as the user (client). I planned on using Auth0 for this, and just noticed their impersonation feature is deprecated.

I could force some login flag in Redux to allow the admin to view as the user, however, to get any of the user's data from the API I'm grabbing the user's ID from the access token generated by Auth0 during login. So the API will only get data from the currently logged in user's access token.

Does anybody know of any ways to impersonate a user given this? I think I've enforced a limitation on my API by parsing the user's ID from the access token to get any of that user's data, correct me if I'm wrong.

The only way I could think of is if the admin is "viewing as" the user, it can pass the user's ID in the API call. And in the controller I could check that user ID field exists and use it instead of the current logged in user, but I don't think passing user IDs around is a good idea. Perhaps I could add a middleware on every request, and if that user ID exists in the API call, I could check the role of that user to ensure it's an admin which would validate the request.

What do you think? Any other ideas / critiques on this method?

Thanks!!

like image 896
Greg Miller Avatar asked Oct 05 '18 17:10

Greg Miller

1 Answers

I think you can achieve this without passing the user ID in API call as it not secure to do so.

If your admin wants to view website as your client. And if you want user ID for fetching the user data. Then you can add user ID in field called metadata provided by auth0. And add the metadata field in access token using rules.

So basically you would get the user ID from your access token only as you do in general case.

Now in your controller check, whether the access token has user ID, if you find any, use that ID to get other data.

Following this approach you do not need to pass any additional data and everything would be handled using access token only.

For more secured approach, in controller along with above mentioned check, you can check for the role also to verify that it has admin role.

for adding the rule in auth0, Here is the code that you need to use:

function (user, context, callback) {
// The currently requested scopes can be accessed as follows:
// context.request.query.scope.match(/\S+/g)
//add the following line in this function additionally.
context.accessToken['metadata'] = user.user_metadata;
callback(null, user, context);
}
like image 158
Minal Shah Avatar answered Nov 04 '22 03:11

Minal Shah
Sign in to Comment

Related questions

React bootstrap Navbar: How to right align a navbar item
Failed to load config "react" to extend from
Trying to use emmet with a react app in vs code
Can only set one of `children` or `props.dangerouslySetInnerHTML`
How to detect window size in Next.js SSR using react hook?
React Router Error - Cannot GET [Page Name]
TypeScript conditional types: Extract component props type from react component
Jest Test Babel Error: Plugin/Preset files are not allowed to export objects
How to include local javascript on a Gatsby page?
Next.js Loads <script> tags but it doesn't execute them
Loading Screen on next js page transition
How to trigger INPUT FILE event REACTJS by another DOM
How to switch between themes in Ant design v4 dynamically?
React with MVC data annotations and unobtrusive validation
Form in card body not visible with NativeBase
How to do Batch Mutations with Apollo Client
Docker Multi-stage build - Copy failing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!