Understanding that true user impersonation isn’t possible, my proposed solution to mimic impersonation by adding a claim to the JWT so that my JWT still has my user’s sub but it also has metadata that the app can reference to treat the admin as another user.
Is there a way to refresh a user’s JWT with mutated claims out of scope of their login? When I log in, my JWT might look like this:
You will need an action or a rule to modify the access token, and because the claim is not a standard claim, you will need to namespace it, like https://mynamespace.mydomain.com/acts_as instead of just acts_as.
This is a good way to do impersonation, just make sure to log everything as “User John Doe/1516…22 performed actions X on behalf of user 987…321”, getting both users in the log message to make it clear.
I should have been more clear. The namespacing and auditing I understand. I’m curious how to mutate the JWT out of scope of a login event.
For example, Joe Admin logs in at 10am. At 10:15am he goes to the list of users, finds Jane User, and clicks a button to impersonate her. How do I mutate that JWT to add the acts_as claim?
I’m not sure this is possible without requesting a new JWT - Perhaps you could look into using silent auth? You might also be able to work something into using a refresh token since it sounds like it would just require a new claim (as opposed to a new scope). FWIW, rules/actions will be run on the refresh token request as well.