Re: [OAUTH-WG] user impersonation protocol?

Justin Richer <> Mon, 16 February 2015 04:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 56DE81A8734 for <>; Sun, 15 Feb 2015 20:34:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EUNvp8HOfEvX for <>; Sun, 15 Feb 2015 20:34:35 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C0D431A8732 for <>; Sun, 15 Feb 2015 20:34:33 -0800 (PST)
X-AuditID: 12074423-f79066d0000058b8-00-54e173580125
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 00.68.22712.85371E45; Sun, 15 Feb 2015 23:34:32 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id t1G4YV7m004473; Sun, 15 Feb 2015 23:34:32 -0500
Received: from [IPv6:2607:fb90:2900:4e6f:0:3f:cc3e:f201] ([]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id t1G4YTk0002528 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Sun, 15 Feb 2015 23:34:30 -0500
Date: Sun, 15 Feb 2015 23:34:28 -0500
Message-ID: <>
Importance: normal
From: Justin Richer <>
To: Bill Burke <>, oauth <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=""
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFIsWRmVeSWpSXmKPExsUixG6nrhtR/DDEoHO1mkXv1p2MFiffvmJz YPJYsuQnk8f7fVfZApiiuGxSUnMyy1KL9O0SuDLeLj7MWrBSqeJB/wymBsa5il2MnBwSAiYS yw/PZYKwxSQu3FvP1sXIxSEksJhJ4sHd+cwQzkZGietrLjNBOHuYJDZtXc7axcjBwSKgKjH5 eTpItzDQpJOf57CA2LwCbhKTZ6xkAinhFBCS6NolARJmA6qevqYFbJmIgJXEt43PoMoFJU7O fAJmMwuESJxp3cQ2gZF3FpLULCQpCFtd4s+8S8wQtqLElO6H7LOAtjELqEksa1VCFl7AyLaK UTYlt0o3NzEzpzg1Wbc4OTEvL7VI10wvN7NELzWldBMjOEhdlHcw/jmodIhRgINRiYf3hezD ECHWxLLiytxDjJIcTEqivFUuQCG+pPyUyozE4oz4otKc1OJDjBIczEoivMfCgHK8KYmVValF +TApaQ4WJXHeTT/4QoQE0hNLUrNTUwtSi2CyMhwcShK8bwqBGgWLUtNTK9Iyc0oQ0kwcnCDD eYCGTwap4S0uSMwtzkyHyJ9iVJQS530MkhAASWSU5sH1wpLIK0ZxoFeEef+DVPEAExBc9yug wUxAgzOZ74MMLklESEk1MJ6NLr6p6hR9x9XzhPWaS8o5vPu4CnWsFlx/ZMfwW7I39dMzcxvv JSY7k592ht5yZvvc9O5SyddbCvMbPCRXces29ax5Yze7J9F/etvsM6cfO57NP9jz4q2/ZHiW 2onNT/sPF21YfFatX37fnQlfU7dNWSCp8jJqjlXRj0ofHf9FuhksIiyKckosxRmJhlrMRcWJ AB2TScX9AgAA
Archived-At: <>
Subject: Re: [OAUTH-WG] user impersonation protocol?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Feb 2015 04:34:37 -0000

For this case you'd want to be very careful about who was able to do such impersonation, obviously, but it's doable today with custom IdP behavior. You can simply use OpenID Connect and have the IdP issue an id token for the target user instead of the "actual" current user account. 

I would also suggest considering adding a custom claim to the id token to indicate this is taking place. That way you can differentiate where needed, including in logs.

-- Justin

/ Sent from my phone /

-------- Original message --------
From: Bill Burke <> 
Date:02/15/2015  10:55 PM  (GMT-05:00) 
To: oauth <> 
Subject: [OAUTH-WG] user impersonation protocol? 

We have a case where we want to allow a logged in admin user to 
impersonate another user so that they can visit differents browser apps 
as that user (So they can see everything that the user sees through 
their browser).

Anybody know of any protocol work being done here in the OAuth group or 
some other IETF or even Connect effort that would support something like 



Bill Burke
JBoss, a division of Red Hat

OAuth mailing list