Menu
I have a requirement of allowing our internal support users to impersonate our customer users.
I'm currently using IdentityServer4, Implicit Flow and OIDC Client.
Resources found so far.
[Question]IdentityServer4 user impersonation #853
Given that there are limited resources online, are there any suggestions on how I can/should implement impersonation with IdentityServer4?
886
The current version (IdentityServer4 v4. x) will be the last version we work on as free open source. We will keep supporting IdentityServer4 until the end of life of . NET Core 3.1 in November 2022.
IdentityServer is an authentication server that implements OpenID Connect (OIDC) and OAuth 2.0 standards for ASP.NET Core. It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints.
Client. A client is a piece of software that requests tokens from IdentityServer - either for authenticating a user (requesting an identity token) or for accessing a resource (requesting an access token). A client must be first registered with IdentityServer before it can request tokens.
About IdentityServer4IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.
IdentityServer4 does not prescribe any authentication providers. It just acts as one itself for other OIDC clients. That's why you can use third-party login providers, local accounts and whatever else.
Create an ImpersonationController in your IdentityServer. Make sure, that only your administrators can access this page.
[Authorize(Policy = "CanImpersonate")]
Build a page, in which you can input a User ID, that the admin wants to impersonate.
When posting that form with the intended User ID, use the SignInManager<> class to Sign in the current user.
You can even build a dropdown, what external login provider you'd like to impersonate with, if that is importatant to you.
Use the ExternalLoginSignInAsync method, otherwise the plain SignInAsync(user, false) method.
You are then already signed in as that user on Identity Server. When your client applications request sign-in, IdentityServer will notice your "forged" session and will redirect back to the client immediately with your currently signed in account.
You are now impersonating that user in your client application and on IdentityServer.
If you SignOut on IdentityServer, you will be "promoted" again to your previously logged in account (if still signed in as different identity), or will need to sign in as your actual administrator account again.
This is obviously a topic for debate. I'm assuming you want to add this feature, so that you can reproduce user issues, or do some action as the user.
If you do this without users knowing, be very careful about side-effects of whatever actions are done during the impersonation. Are E-Mails sent, or similar notifications.
There is a lot of trust to be lost going this route.
This is also a concern for privacy. Who is able to access the details. What details are revealed, when impersonating a user on your platform.
Don't impersonate users.
Implement a controlled way, in which your administrators can perform the required work. Then you have a consistant audit log, and whatever a signed in user does to your system, you can be sure that it was that user, and not your administrator impersonating that account.
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
