Reputation: 152
How to implement impersonation in IdentityServer4
I would like to know if it is possible to implement impersonation in IdentityServer 4, and how to do it. Did not find anything useful in my researches, and it seems, by reading IdentityServer4 pulls on github that it is not doable at the moment. Even searched for "impersonation" for OpenID Connect and Oauth2, but nothing... Anyway does anyone knows how to do it? Thanks in advance
Upvotes: 6
Views: 3949
Answers (1)
Reputation: 5264
Nothing stopping you from implementing it yourself but I think anything beyond representing an impersonated session via claims is outside the scope of the protocol.
OIDC itself does not offer any guidance in this area but this draft spec does:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-14#section-4.1
In our case we loosely followed this and used the act claim to store claims relating to the impersonator and used the amr claim to indicate if impersonation was used by using the value imp.
The rules and flow around who can impersonate who and when is entirely up to you. In our solution end users are able to grant impersonation permissions to specific users but this facility can be locked down via customer-controlled policies too. Users with valid impersonation grants get an extra step in the sign in flow that allows them to choose which user to impersonate.
Upvotes: 6
Related Questions
- IdentityServer4 - Delegated access tokens for clients
- Add custom authentication method to IdentityServer4
- IdentityServer4 - How to Implement Impersonation
- IdentityServerV4 Reference Token Introspection
- How to request User Info from IdentityServer4
- Securing a client in IdentityServer4
- How to us openid connect hybrid flow to call an Api on behalf of user (IdentityServer4 Asp.Net Core 2.0)?
- IdentityServer: Impersonation at Client Level
- IdentityServer4 using Client Credentials Grant Type
- Identityserver3 - User Impersonation