Our implementation of auth0 includes the ability to impersonate/infiltrate one of our users accounts to see their account and act on their behalf. We currently do this by passing an
impersonate: email@example.com type thing to the body of our request and then doing some permission checking and so forth to make sure they can do it. The one problem I’m having with the auth0-spa sdk is that if I refresh the page for whatever reason, it automatically makes an
/authorize request resulting in the user no longer impersonating anymore, but looking at their own account. This is kind of a big problem for some actions that our support team does all the time that require a refresh of the page.
One of my thoughts for how to fix this is to store the
impersonate value in the session, so on later silent authentication requests and the like will keep the user in that “impersonation” state. Any ideas how to do that, or other ways to solve the problem? Thanks!