For this case you'd want to be very careful about who was able to do such impersonation, obviously, but it's doable today with custom IdP behavior. You can simply use OpenID Connect and have the IdP issue an id token for the target user instead of the "actual" current user account.
I would also suggest considering adding a custom claim to the id token to indicate this is taking place. That way you can differentiate where needed, including in logs. -- Justin / Sent from my phone / -------- Original message -------- From: Bill Burke <bbu...@redhat.com> Date:02/15/2015 10:55 PM (GMT-05:00) To: oauth <oauth@ietf.org> Cc: Subject: [OAUTH-WG] user impersonation protocol? We have a case where we want to allow a logged in admin user to impersonate another user so that they can visit differents browser apps as that user (So they can see everything that the user sees through their browser). Anybody know of any protocol work being done here in the OAuth group or some other IETF or even Connect effort that would support something like this? Thanks, Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
