Keycloak Impersonate

0
votes

I need to provide the impersonate functionality outside of Keycloak Admin Console, the very similiar to Impersonate button. What I am doing is calling Keycloak REST API for

  1. obtaining the access_token, (auth/realms/master/protocol/openid-connect/token)
  2. which is then parsed into another call to impersonate user admin/realms/{realm}/users/{id}/impersonation .

The second call is returning redirect link with boolean and in the headers there are, besides others, KEYCLOAK_SESSION and KEYCLOAK_IDENTITY cookies.

I need to somehow logout the user from the application, set those cookies in the browser, do the redirect to login page and be logged in as the another user. I think its common situation and Keycloak has its miracle Impersonate button which does the same, but I need to have it outside of Admin Console. Could somebody assist with hep with this issue? Many thanks

2
javasessioncookieskeycloakimpersonation

2 Answers

2
votes

I just implemented this feature for our KC, the approach we took was using REST api's. The "Super User" needs to be logged in (valid KC session). Then they can initiate an impersonation session, we chose to use the username to find the impersonatee. Once you validate the person exist within the KC realm you can create a UserSessionModel for that person. Then create a login cookie, I learned that KC AuthenticationManager has a near little method that creates a login cookie and appends it to the response headers (really cool). Then I stored my credentials (Super User) inside a cookie and returned the response with those cookies appended. The return REST method is a very similar process, the parameters it takes are different because we need to pass the cookies back and grab the super user id and his session id. Once you have those you just repeat the first method (find user, find session instead of creating a new unless old session timed out), redirect back to origin. Oh also don't forget to end the impersonation session.

personYouImpersonatedSessionId = session.sessions().getUserSession(RealmModel,AuthSessionId)
if(!personYouImpersonatedSessionId) {
      session.sessions().removeUserSession(RealmModel,personYouImpersonatedSessionId)
}

I forgot to do that during testing and was running into some issues. I know the post is old but there are people still looking for this type of information :D

I hope this helps

2
votes

This is too late to respond but it can help if someone still looking for an easy solution. We encountered the same use case where we wanted to provide impersonation outside the Keyclaok (in OIDC client). To achieve this we used Keyclaok impersonation rest API. https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_users_resource.

Make sure to provide impersonation permission to the Keycloak logged-in user before calling this API. Read more info on below link. https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/token-exchange/token-exchange.adoc#impersonation

This API sends complete impersonated user details in response including access tokens, session cookies, and cors headers. like the below image. enter image description here

We leveraged cors header allow-credentials and sent an ajax request to Keycloak with "withCredentials: true". This option directed the browser to replace all the cookies with the new ones.