Auth0 Home Blog Docs

Should impersonated and impersonator properties be persisted when doing silent authentication?



When performing User Impersonation the properties impersonated and impersonator are set on the user profile as expected.

getSSOData does not support impersonation, however silent authentication does work. This means you can impersonate the user and authenticate silently using single sign on with different callbacks without needing to make multiple impersonation requests.

However, after impersonating and doing silent authentication impersonated and impersonator are not preserved when you might expect them to remain set, which means applications cannot reliably determine if the user has been impersonated.

I think either impersonated and impersonator properties should be persisted, or perhaps silent authentication shouldn’t actually support impersonation and you should be forced to make multiple impersonation requests?