Auth0 Home Blog Docs

Unable to impersonate user

authentication_api
management-api
authentication
user-impersonation
user

#1

I am working with a client who has their own Auth0 account with impersonation.

All restricted pages make a call to

$this->auth0 = new Auth0(array(
		    'domain'        => '{domain}',
		    'client_id'     => '{client_id}',
		    'client_secret' => '{secret}',
		    'redirect_uri'  => 'http://{redirct_domain}/callback.php'
		));
		return $this->auth0->getUser();

to verify the user upon page load.

I have got the impersonating working by making a call to retrieve a link which looks like
https://{domain}.auth0.com/users/{user_id}/impersonate?&bewit={code}
which generates additional variables such as access_token,expires_in, id_token and token_type=Bearer. How do I use these variables to impersonate? the Auth0 call above will always pull the impersonator credentials and not using the credentials of the person I want to impersonate.

Code is written in PHP. Anything else needed to please let me know.


Update:

The setup is a regular web application using Auth0 lock for login with openid and email scope. The callback redirect will call the above Auth0 to ensure the user session is valid and is then redirected to the restricted destination. Each restricted page contains the same Auth0 check and local DB check to ensure the user exists without discrepancies.

Looking at the docs, it looks like the access token can be used to pull the required user information but I haven’t toyed with authorization using access tokens since the application relies on the lock mechanism. I need to either pull the Auth0 session for the user I want to impersonate or update my pages to pull the user information making an Auth0 get user API call to present the pages accordingly. Unless there is another way or API I should explore?


#2

Have in mind that you’ll need to use an impersonation configuration suitable for the client application in question. For example, if the client application is a regular web application that uses the authorization code grant as part of the user authentication process then you also need to generate an impersonation URL compatible with that, in particular, if you’re obtaining the link through the Auth0 Dashboard you should use the link generated for a Server side app.

In addition to the above, you may also need to configure the advanced settings in order to make the impersonation compatible with the client application in question, for example, due to certain specific scope requirements. For reference information see: https://auth0.com/docs/user-profile/user-impersonation

In conclusion, you’ll need to generate an impersonation link in accordance to how you implemented your client application.


Update:

In general, your regular web application should only redirect to Auth0 if it did not already established an authenticated session. This would mean that accessing a correctly configured impersonation link would send the necessary information for your regular web application to establish an authenticated session in such way that accessing other pages would use that session instead of trying to redirect again to Auth0.

This is explained in the PHP login quickstart; the only difference with impersonation is that the code received to bootstrap the local session would be received from the impersonation link instead of a regular user authentication process.


#3

Thank you for your support @jmangelo, much appreciated!

I can see what you mean in terms of using the session generated from Auth0 which should be created when you use the impersonation link and to not use the Auth0->get_user() as this will destroy the impersonating session.

OK, I generate the impersonation link which is redirected to my callback page. Before I initiate the auth0->get_user() function I initiate session_start() and dump/print the $_SESSION to see what I have (this is the Auth0 redirect when you click on the impersonation link) and the $_SESSION still contains my impersonator session and not the impersonating session. I have dumped before and after Auth0->get_user to no avail.

To go through my setup so we are all across the setup I have:

  • Two clients, Admin and Public

  • Admin user will generate impersonating link with the following:

    curl_setopt_array($curl, array(
    CURLOPT_URL => “https://{DOMAIN}.auth0.com/oauth/token”,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => “”,
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => “POST”,
    CURLOPT_POSTFIELDS => “{“grant_type”:“client_credentials”,“client_id”: “{GLOBAL CLIENT ID}”,“client_secret”: “{GLOBAL CLIENT SECRET}”}”,
    CURLOPT_HTTPHEADER => array(
    “content-type: application/json”
    ),
    ));

This will generate the access token which is used to generate the link:

$postfields = "{\"protocol\": \"oauth2\",\"impersonator_id\": \"".$member_userid."\",\"client_id\": \"{ADMIN CLIENT ID}\",\"additionalParameters\":{\"response_type\": \"token\",\"scope\": \"openid\",\"callback_url\": \"https://{DOMAIN}/callback.php\"}}";

		curl_setopt_array($curl, array(
		  CURLOPT_URL => "https://{DOMAIN}.auth0.com/users/".$member_userid."/impersonate",
  		  CURLOPT_RETURNTRANSFER => true,
		  CURLOPT_ENCODING => "",
		  CURLOPT_MAXREDIRS => 10,
		  CURLOPT_TIMEOUT => 30,
		  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
		  CURLOPT_CUSTOMREQUEST => "POST",
		  CURLOPT_POSTFIELDS => $postfields,
		  CURLOPT_HTTPHEADER => array(
		  	$token,
		  	"content-type: application/json"
		  )
		));

Is there something I’m missing?

Thanks so much for your help!


#4