User impersonation is very very risky. The legal aspects of it must be
considered. There's a lot of work to do to make it safe/effective.
Issuing a scoped token that allows ready only access can work with the above
caveats. Then properties/componenets have to explicitly support the new scope
and do the right thing.
On Sunday, February 15, 2015 8:34 PM, Justin Richer <[email protected]>
wrote:
For this case you'd want to be very careful about who was able to do such
impersonation, obviously, but it's doable today with custom IdP behavior. You
can simply use OpenID Connect and have the IdP issue an id token for the target
user instead of the "actual" current user account.
I would also suggest considering adding a custom claim to the id token to
indicate this is taking place. That way you can differentiate where needed,
including in logs.
-- Justin
/ Sent from my phone /
-------- Original message --------
From: Bill Burke <[email protected]>
Date:02/15/2015 10:55 PM (GMT-05:00)
To: oauth <[email protected]>
Cc:
Subject: [OAUTH-WG] user impersonation protocol?
We have a case where we want to allow a logged in admin user to
impersonate another user so that they can visit differents browser apps
as that user (So they can see everything that the user sees through
their browser).
Anybody know of any protocol work being done here in the OAuth group or
some other IETF or even Connect effort that would support something like
this?
Thanks,
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
