Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

We do this, when we have an impersonate request, we do a logout and then a new login flow while passing some additional parameter to Hydra `/oauth2/auth` endpoint. The additional parameter contains an “impersonateRequestId” that we generated previously when the user clicked on the impersonate button. It is stored in the database and can be used only once.

Once Hydra is redirecting to our login callback, it’s passing the additional parameters with the Hydra challenge id and the `impersonateRequestId`

We check in the database if the `impersonateRequestId` is valid, and if it is, we directly accept the login challenge in Hydra, while passing both the userId and the “impersonatedAsUserId” in the Hydra session.

When introspecting this token later, we see that there is the `impersonatedAsUserId` and we use it for selecting the currentUser before doing any operation. We keep the primary user in the context for logging purpose and we could (not done currently) prevent some actions from being done when in an impersonation session.

We did all that on top of the official Hydra APIs, I think that the recommendation is to do the same when using Kratos, ORY doesn’t seem to plan to support natively impersonation flows in the short term.