Auth0 Home Blog Docs

Need help on impersonation

impersonation
access-token

#1

Hi,

I’m trying to implement impersonation in my app, so use case is that we have 2 users:
Impersonator and Impersonated one.

I reviewed documentation and stacked on 3 step to exchange in this document https://auth0.com/docs/user-profile/user-impersonation

Steps I had implemeted:

  1. Requested token endpoint with global client credentials
  2. Requested impersonate endpoint with following parametrs

{
“protocol”: “oauth2”,"
“impersonator_id”: " + impersonatorUserId “,
“client_id”: " MyClientId” ,
“additionalParameters”:
{
“response_type”: “code”, //Here tried with “token id_token” as well
“state”: “”"
}
}

Got the callback URL with code or tokens
3) Called oauth/token endpoint to exchange authorization code to access token which is authenticating users in my app but every time I am getting

{“error”:“invalid_grant”,“error_description”:“Invalid authorization code”}

What I’m doing wrong and what is right flow of impersonation in my case?

Thanks


#2

Hello, Albert. Our deprecation endpoints have been deprecated for a number of reasons. Mainly that you have to reduce security elsewhere in your app to get it to work.

My recommendation is to tell me a little bit about what you are trying to accomplish with impersonation and see if we can figure out a way to do this with standard authentication of your impersonator.


#3

HI Carlos, thanks for quick response.

Let me describe some points of our app.

It is school portal where users are teachers and we have case where one of teachers are not able to work and needs to be swapped with some one. Our application to authenticate is using access token, so with impersonation mainly we are covering swap impersonated user (teacher which is not able to work) with impersonated one (someone who is covering). So to get impersonated teachers data we need to login covering user as teacher and work with it.


#4

Albert, I redacted my last comment for now. We are doing some internal security reviews of impersonation and until those are complete I’m pulling my previous comment. I will add it back with maybe some changes once that review is completed.