wolkenkit icon indicating copy to clipboard operation
wolkenkit copied to clipboard
verified publisher icon thenativeweb

Improve impersonation

Open goloroden opened this issue 7 years ago • 1 comments

What is this feature about?

Currently, from within a flow or from within the client you can use the asUser property when sending a command, to impersonate, i.e. to send the command under a different user. Technically, we only change the sub claim, we don't issue a real token. This works if you only want to override the user's identity, but sometimes you also need to provide additional claims. So it would be better to issue a real token, with a new sub claim as well as custom claims.

What needs to be done to implement this feature?

  • [ ] Change the asUser functions to optionally handle custom claims
    • [ ] wolkenkit-flows
    • [ ] wolkenkit-client
    • [ ] Check whether there are more places that are affected
  • [ ] Think about signing these tokens using an internal certificate
  • [ ] Rethink the can-impersonate claim
    • [ ] Decide whether it is still required
    • [ ] Namespace it so that it works with Auth0 again
  • [ ] Update documentation

What else should we know?

This feature request was made by @schmuto. So we should notify him once this has been done.

goloroden avatar Nov 10 '18 20:11 goloroden

Should be on-behalf-of, since in the future we separate between the (technical) client, and the domain (user), and this feature only changes the user, but not the client.

goloroden avatar Sep 10 '19 09:09 goloroden