User impersonation is very very risky. The legal aspects of it must be
considered. There's a lot of work to do to make it safe/effective.
Issuing a scoped token that allows ready only access can work with the above
caveats. Then properties/componenets have to explicitly support the new scope
For this case you'd want to be very careful about who was able to do such
impersonation, obviously, but it's doable today with custom IdP behavior. You
can simply use OpenID Connect and have the IdP issue an id token for the target
user instead of the "actual" current user account.
I would als
We have a case where we want to allow a logged in admin user to
impersonate another user so that they can visit differents browser apps
as that user (So they can see everything that the user sees through
their browser).
Anybody know of any protocol work being done here in the OAuth group or
s
