I have a main admin user, and there are several additional normal users. using the same appilcation.
I want to add a feature so that the main user can login as any of the normal users without using the password. The main user doesn’t know the password of the normal user, still he can login as the normal user and perform the same tasks as the normal user.
How do i do it?
Hi @martin4, welcome to the Auth0 Community!
What you’re describing is called impersonation. Auth0 stopped supporting impersonation due to a number of security concerns. Impersonation leaves your application vulnerable to CSRF attacks, since the flag allows the bypassing of the CSRF check from the state parameter if this parameter is missing from the authorization response.
What’s the use case here? I could help you think through an alternative architecture that is still secure but accomplishes the end goal you’re looking for. I find that often the need for impersonation is a flag that something else needs to be redesigned.
Cheers,
Sam Julien
Thanks for the reply.
Can you explain the alternative architecture that I can use to get my end goal.
as for the use case.
I have a main user that acts as the main system user, that can access the records of all the other users that sign up on my application.
That main user (Admin user) has the authority to perform any task on behalf of the normal user.
All the users have their own unique email and password.
So the admin user just needs read and write permissions for the data records for all users. I would just adjust those permissions and add something to your admin UI so they can filter by user to make it easier. I’d also be sure to distinguish between the admin performing an action vs the user in the database (for example, if you’re using an “updated by” column if not a more complicated history). That way if the user disagrees with the action of the admin, you have some proof of who did what (which you would not have if you were impersonating the user). It doesn’t sound like there is any need to impersonate the actual user and their permissions, only the access to the data.
Does that help?
Cheers,
Sam Julien