This message was deleted Ory Community #general

Join Slack

This message was deleted.

# general

microscopic-answer-24504

01/31/2024, 4:10 PM

This message was deleted.

steep-lamp-91158

01/31/2024, 5:01 PM

this is not supported in the way you described due to security concerns and best-practices

steep-lamp-91158

01/31/2024, 5:05 PM

if you need this for some support requests, we recommend to authenticate the user properly, and then add something like a "impersonate as" field to a request this way, you can still fully trust the authentication, and you can add authorization checks around what user is allowed to impersonate what other user under what conditions

red-machine-69654

02/01/2024, 9:47 AM

@steep-lamp-91158 Thanks for responding. What you mean by "authenticate the user properly"?

steep-lamp-91158

02/01/2024, 9:53 AM

the user who would get the impersonation session needs to authenticate somehow as well, but using their own credentials only after you know that they actually are who they claim to be, you should allow them to "impersonate" someone when you create a session using the admin API, you run the risk of not properly authenticating the user

red-machine-69654

02/01/2024, 9:54 AM

That all sounds like a Hydra thing, right?

steep-lamp-91158

02/01/2024, 9:55 AM

depends, but that's something you have to keep in mind when building impersonation and why we don't support it natively

red-machine-69654

02/06/2024, 5:34 PM

@steep-lamp-91158 Can you provide a little more detail?

red-machine-69654

02/06/2024, 5:35 PM

I understand that creating a session via Kratos' admin API is a security issue, etc. but then how is one supposed to do this?

steep-lamp-91158

02/06/2024, 5:47 PM

In your app at some point you determine the current user, with Kratos by taking the user ID from the whoami response. There you can add a way to use a different user ID instead:

Copy code

func getCurrentUserID(req *http.Request) (string, err) {
  user, err := getWhoAmI(req)

  if impersonated := req.Headers.Get("Impersonated-User-Id"); impersonated != "" {
    if isAllowedToImpersonate(user, impersonated) {
      return impersonated, nil
    }
  }
  return user.id, nil
}

For reusability, it would obviously be best to do this in a gateway, depending on your setup.

steep-lamp-91158

02/06/2024, 5:48 PM

Also, you'd have to have some admin panel that allows to find the user ID and adjusts the client to always send the header. Cookies would obviously also work, or any other way.

steep-lamp-91158

02/06/2024, 5:49 PM

this way you always do the right authn & authz checks

red-machine-69654

02/06/2024, 6:24 PM

Oh, I see what you mean. So build some kind of mechanism that adds the header or a cookie, etc.. And then use something like your code at a central place.

red-machine-69654

02/06/2024, 6:24 PM

We currently use oathkeeper to extract the user ID and pass it on to services. I am wondering if there's a way to do this in OAthkeeper

red-machine-69654

02/06/2024, 6:28 PM

So we use a mutator right now and the backend is fully agnostic or oblivious to what "authn" is 😄

64 Views

Open in Slack

Previous Next