How to Modify Access Token with acts_as claim to imitate user impersonation

Understanding that true user impersonation isn’t possible, my proposed solution to mimic impersonation by adding a claim to the JWT so that my JWT still has my user’s sub but it also has metadata that the app can reference to treat the admin as another user.

Is there a way to refresh a user’s JWT with mutated claims out of scope of their login? When I log in, my JWT might look like this:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

and then when I take an action to act as another user, it might look like this:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "acts_as: "987654321"
}

Thanks!

Hey @dominic1

You will need an action or a rule to modify the access token, and because the claim is not a standard claim, you will need to namespace it, like https://mynamespace.mydomain.com/acts_as instead of just acts_as.

This is a good way to do impersonation, just make sure to log everything as “User John Doe/1516…22 performed actions X on behalf of user 987…321”, getting both users in the log message to make it clear.

John

1 Like

Thanks, John!

I should have been more clear. The namespacing and auditing I understand. I’m curious how to mutate the JWT out of scope of a login event.
For example, Joe Admin logs in at 10am. At 10:15am he goes to the list of users, finds Jane User, and clicks a button to impersonate her. How do I mutate that JWT to add the acts_as claim?

Thanks again.

1 Like

Hey @dominic1 welcome to the community!

I’m not sure this is possible without requesting a new JWT - Perhaps you could look into using silent auth? You might also be able to work something into using a refresh token since it sounds like it would just require a new claim (as opposed to a new scope). FWIW, rules/actions will be run on the refresh token request as well.

Ahh that’s super helpful @tyf thank you! I will experiment with that

1 Like

Yes, what @tyf said - use silent auth to get a new token. – j

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.