logto icon indicating copy to clipboard operation
logto copied to clipboard
verified publisher icon logto-io

feature request: SDKs supporting impersonation

Open marwie opened this issue 1 year ago • 8 comments

What problem did you meet?

I'm trying to implement user impersonation using the logto sveltekit SDK. Unfortunately the SDK does not support impersonation officially (discord)

When trying to debug it's important to be able to view the whole app from a user's perspective, hence the ability to impersonate a user is great. But without support in the SDK it seems to be I'm forced to put a lot of hacks or workarounds in place which is potentially error prone. (If there's a recommended way to deal with this limitation I'd appreciate any guidance)

Describe what you'd like Logto to have

I'm using the logtoclient throughout my app and would like to be able to override the client's access token with my subject/access token to start impersonation and viewing the app from the user's perspective without having to worry to mix access tokens anywhere.

marwie avatar Dec 29 '24 11:12 marwie

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Jan 13 '25 02:01 github-actions[bot]

Bump

marwie avatar Jan 13 '25 06:01 marwie

Thanks for your feedback! However, mixing user impersonation tokens and user-requested tokens is highly not recommended due to security and token management concerns. Requesting and managing impersonation tokens on the client side would put your app at high-security risk, as it exposes sensitive administrative actions to the front end.

Currently, our SDK is designed for client-side use only, and user impersonation is an admin feature that can only be requested through the Logto Management API, to be managed securely on your backend service. Please refer to this documentation for more details on how to implement user impersonation securely. Let us know if you have any further questions!

simeng-li avatar Jan 20 '25 07:01 simeng-li

Hello @simeng-li

I understand the concern, however I'm currently using the sveltekit SDK on the server only and don't request tokens client-side.

It would help already if I could override the access token in the SDK - do you know if that's possible somehow at the moment or if that's something you could potentially add to the SDK?

marwie avatar Jan 20 '25 08:01 marwie

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Feb 04 '25 02:02 github-actions[bot]

Bump

marwie avatar Feb 04 '25 09:02 marwie

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Mar 26 '25 02:03 github-actions[bot]

Hello, just wanted to bump and ask if this could be considered again or if an official guide on how to work with impersonation and the sdk should be used could be provided? (For the sveltekit sdk would be most relevant for me) - since most of my client application uses the user object stored in the sveltekit locals.

marwie avatar Apr 21 '25 04:04 marwie