microscopic-answer-24504
02/02/2023, 7:58 AMmagnificent-energy-493
adorable-scooter-1570
02/02/2023, 8:57 AMadventurous-battery-51816
02/03/2023, 5:29 AMsteep-lamp-91158
adorable-scooter-1570
02/03/2023, 5:55 PMadventurous-battery-51816
02/03/2023, 5:57 PMmagnificent-energy-493
adorable-scooter-1570
02/03/2023, 6:13 PMadventurous-battery-51816
02/06/2023, 6:22 AMsteep-lamp-91158
In direct naked impersonation, a client can impersonate any user in the realm without exchanging subject tokens.
> It is very risky to enable direct naked impersonation for a client. If the client’s credentials are ever stolen, that client can impersonate any user in the system.which is why they use the oauth2 token exchange for that reason. My proposal is to authenticate admins the same way as any other user using identities (Kratos), and then allowing admins (by checking the appropriate permissions) to switch the subject they act as. You typically have all kinds of permission checks all around your applications, and there you can either user the user ID from the current session (standard way), or look up e.g. in an impersonation mapping table which other subject to use instead (impersonation). This is still a bit generic, but I hope the gist of it makes sense. I'd be very happy to write up an impersonation docs page/guide with your feedback as well.
adventurous-battery-51816
02/06/2023, 10:05 AMadorable-scooter-1570
02/06/2023, 5:31 PMsteep-lamp-91158
adventurous-battery-51816
02/07/2023, 11:28 AMadorable-scooter-1570
02/07/2023, 4:17 PMadorable-scooter-1570
02/07/2023, 4:32 PMadorable-scooter-1570
02/07/2023, 4:38 PMadorable-scooter-1570
02/07/2023, 4:38 PMadorable-scooter-1570
02/07/2023, 4:41 PMadventurous-battery-51816
02/08/2023, 12:05 PMadventurous-battery-51816
02/08/2023, 2:52 PMmagnificent-energy-493
In direct naked impersonation, a client can impersonate any user in the realm without exchanging subject tokens.
> It is very risky to enable direct naked impersonation for a client. If the client’s credentials are ever stolen, that client can impersonate any user in the system.It is possible to do this using Ory, but not what we would recommend. I think if you already have an idea how that guide would be most helpful to you and you would create an issue in github.com/ory/docs or github.com/ory/keto , that woudl help Patrik a lot to keep on top of it, as there are many different things he is looking into in a given day. @adorable-scooter-1570 no worries about the Slackpost 🙂 , thanks for sharing more information! If you could compile in on GitHub that woudl be most helpful, as our Slack free plans eats messages after a few weeks. Let me know if I can help.
adorable-scooter-1570
02/08/2023, 4:52 PMadventurous-battery-51816
02/08/2023, 4:57 PMYou typically have all kinds of permission checks all around your applications, and there you can either user the user ID from the current session (standard way), or look up e.g. in an impersonation mapping table which other subject to use instead (impersonation). This is still a bit generic, but I hope the gist of it makes sense. I'd be very happy to write up an impersonation docs page/guide with your feedback as well.
->>>
adventurous-battery-51816
02/08/2023, 4:57 PMadventurous-battery-51816
02/08/2023, 5:29 PMadventurous-battery-51816
02/08/2023, 5:43 PM