Automatic `/authorize` request on page refresh breaking "impersonation/delegated access"

Our implementation of auth0 includes the ability to impersonate/infiltrate one of our users accounts to see their account and act on their behalf. We currently do this by passing an impersonate: type thing to the body of our request and then doing some permission checking and so forth to make sure they can do it. The one problem I’m having with the auth0-spa sdk is that if I refresh the page for whatever reason, it automatically makes an /authorize request resulting in the user no longer impersonating anymore, but looking at their own account. This is kind of a big problem for some actions that our support team does all the time that require a refresh of the page.

One of my thoughts for how to fix this is to store the impersonate value in the session, so on later silent authentication requests and the like will keep the user in that “impersonation” state. Any ideas how to do that, or other ways to solve the problem? Thanks!

1 Like


Auth0-spa is one of our newest sdks and it was created after impersonation was deprecated. This is means that it does not have support for impersonation since it’s an insecure feature. We recommend that you do not use impersonation (specially in production).

Thank you.

1 Like

I understand that. We’re using our own functionality built with rules and the like. We’re also using it for a sort of “delegated access” kind of setup, where one can look at another user’s account if they have been delegated access by that person. I found a way to make it work though. It involves adding the email of the person being impersonated as an argument to createAuth0Client and then that get’s sent on every authorize request.