Auth0 Home Blog Docs

Impersonation URL with additional parameters



I had successfully use impersonation API to get an impersonation URL: https://<AUTO0 DOMAIN>/users/<USER ID>/impersonate?&bewit=XXXYYYZZZ.

I want to redirect admin to certain URL after login successfully as the impersonated user. My first idea is adding a parameter to the impersonation URL and read the parameter in the client web app.

But https://<AUTO0 DOMAIN>/users/<USER ID>/impersonate?&bewit=XXXYYYZZZ&next=some path seems breaks the auth0 impersonation functionality. I got following error response:
{"error":"access_denied","error_description":"Impersonation - Bad mac"}.

Any other way to implement the functionality?


The /users/{id}/impersonate URL is processed by Auth0 service itself so you should not modify it. However, when obtaining an URL for impersonation you can specify additional parameters and one of them is the state parameter which could be used to also encode that final target URL. The state will then be delivered to the client application which can decode it, perform any applicable validations and use it to redirect the end-user.


I was getting the same error {"error":"access_denied","error_description":"Impersonation - Bad mac"} when sending a post request with state='' or when not sending state as all. The solution was to set a value to the state property. Auth0 documentation says the state is optional what doesn’t seem quite true.


How can I add an audience parameter to the User impersonation interface in Auth0 Dashboard?

When I try to log in using any of my clients, there’s no audience parameter, so the access token that I get back from using the Impersonation URL is not valid for my Custom API.

I tried setting the default audience on my tenant configuration - but that didn’t make any difference.

I tried following the guide for using the Impersonation API. It says in the guide to get an access token for the Management API V1. However, the Management API V1 /oauth/token endpoint is deprecated. So fetched an access token for my Management API from the dashboard instead, then tried to use that token for authorizing my request to the Impersonation API, however I’m just getting “Unauthorized” in the response.

I’m also confused with this since the Impersonation API seems to not be part of the Management API - judging from the API documentation… How’s so?

Please help!