Auth0 Home Blog Docs

How to impersonate user in "read only" mode

custom-database

#1

I want my admins to be able to impersonate a user and see what they see, but not be able to change any settings for security reasons. How to do this? Thanks.


#2

Based on the information available at (https://auth0.com/docs/user-profile/user-impersonation) the rules engines is aware of the impersonation.

In a Rule, you have access to user.impersonated and user.impersonator (the impersonating login) and you can write arbitrary Javascript to define how it works.

With this in mind you could setup a rule that when the token is issued as part of impersonation then it includes a claim indicating that fact, for example:

function (user, context, callback) {
  if(context.idToken && user.impersonated) {
    context.idToken"http://example.com/impersonated"] = true;
  }
  
  callback(null, user, context);
}

The final step would be for your application to react accordingly to the presence of this claim in the token and only allow read only access.


#3