Hi everyone! I need to implement a “fake” login, it’s a feature when admin can log in under any account and help customers to resolve their issues and etc. So, I need to generate a token without knowing the customer’s password and using this JWT call my API and make some actions from like the customer’s side. I’m using RS256 algorithm and judging by the documentation, I cannot get the private key, so I cannot generate a token for the admin. Are there any other approaches, how I can implement this feature using Auth0 tools?
The short answer: don’t do this. It is full of security holes. You will regret it.
To do this, you need a “companion app”. This is an app specifically designed for agents to perform actions on behalf of customers, and it requires agent access. All actions should be completely logged, including which agent did the action and on behalf of which customer.
Hi @KostyaZgara
Instead of a customer service agent impersonating a user, you would have a separate app (companion app) or a companion mode in your app. In this separate app/mode, the identity is the customer service rep. And that identity is has additional privileges that allow them to access user info.
Take some time to identify and define the security requirements here. Make sure everything is audited (don’t just give customer service reps blanket access to any user data, make sure they only have access to one user at a time).