How to impersonate user in "read only" mode

I want my admins to be able to impersonate a user and see what they see, but not be able to change any settings for security reasons. How to do this? Thanks.

Based on the information available at ( the rules engines is aware of the impersonation.

In a Rule, you have access to user.impersonated and user.impersonator (the impersonating login) and you can write arbitrary Javascript to define how it works.

With this in mind you could setup a rule that when the token is issued as part of impersonation then it includes a claim indicating that fact, for example:

function (user, context, callback) {
  if(context.idToken && user.impersonated) {
    context.idToken""] = true;
  callback(null, user, context);

The final step would be for your application to react accordingly to the presence of this claim in the token and only allow read only access.