Re: [OAUTH-WG] user impersonation protocol?
Justin Richer <jricher@mit.edu> Mon, 16 February 2015 04:34 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56DE81A8734 for <oauth@ietfa.amsl.com>; Sun, 15 Feb 2015 20:34:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EUNvp8HOfEvX for <oauth@ietfa.amsl.com>; Sun, 15 Feb 2015 20:34:35 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0D431A8732 for <oauth@ietf.org>; Sun, 15 Feb 2015 20:34:33 -0800 (PST)
X-AuditID: 12074423-f79066d0000058b8-00-54e173580125
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 00.68.22712.85371E45; Sun, 15 Feb 2015 23:34:32 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t1G4YV7m004473; Sun, 15 Feb 2015 23:34:32 -0500
Received: from [IPv6:2607:fb90:2900:4e6f:0:3f:cc3e:f201] ([172.56.22.147]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t1G4YTk0002528 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Sun, 15 Feb 2015 23:34:30 -0500
Date: Sun, 15 Feb 2015 23:34:28 -0500
Message-ID: <45p14og69nr08nthyis1k9x1.1424061268466@email.android.com>
Importance: normal
From: Justin Richer <jricher@mit.edu>
To: Bill Burke <bburke@redhat.com>, oauth <oauth@ietf.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.android.email_236089447748900"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFIsWRmVeSWpSXmKPExsUixG6nrhtR/DDEoHO1mkXv1p2MFiffvmJz YPJYsuQnk8f7fVfZApiiuGxSUnMyy1KL9O0SuDLeLj7MWrBSqeJB/wymBsa5il2MnBwSAiYS yw/PZYKwxSQu3FvP1sXIxSEksJhJ4sHd+cwQzkZGietrLjNBOHuYJDZtXc7axcjBwSKgKjH5 eTpItzDQpJOf57CA2LwCbhKTZ6xkAinhFBCS6NolARJmA6qevqYFbJmIgJXEt43PoMoFJU7O fAJmMwuESJxp3cQ2gZF3FpLULCQpCFtd4s+8S8wQtqLElO6H7LOAtjELqEksa1VCFl7AyLaK UTYlt0o3NzEzpzg1Wbc4OTEvL7VI10wvN7NELzWldBMjOEhdlHcw/jmodIhRgINRiYf3hezD ECHWxLLiytxDjJIcTEqivFUuQCG+pPyUyozE4oz4otKc1OJDjBIczEoivMfCgHK8KYmVValF +TApaQ4WJXHeTT/4QoQE0hNLUrNTUwtSi2CyMhwcShK8bwqBGgWLUtNTK9Iyc0oQ0kwcnCDD eYCGTwap4S0uSMwtzkyHyJ9iVJQS530MkhAASWSU5sH1wpLIK0ZxoFeEef+DVPEAExBc9yug wUxAgzOZ74MMLklESEk1MJ6NLr6p6hR9x9XzhPWaS8o5vPu4CnWsFlx/ZMfwW7I39dMzcxvv JSY7k592ht5yZvvc9O5SyddbCvMbPCRXces29ax5Yze7J9F/etvsM6cfO57NP9jz4q2/ZHiW 2onNT/sPF21YfFatX37fnQlfU7dNWSCp8jJqjlXRj0ofHf9FuhksIiyKckosxRmJhlrMRcWJ AB2TScX9AgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/MdQAFLNKC8PKLahCI6IKRCg-ZgI>
Subject: Re: [OAUTH-WG] user impersonation protocol?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 04:34:37 -0000
For this case you'd want to be very careful about who was able to do such impersonation, obviously, but it's doable today with custom IdP behavior. You can simply use OpenID Connect and have the IdP issue an id token for the target user instead of the "actual" current user account. I would also suggest considering adding a custom claim to the id token to indicate this is taking place. That way you can differentiate where needed, including in logs. -- Justin / Sent from my phone / -------- Original message -------- From: Bill Burke <bburke@redhat.com> Date:02/15/2015 10:55 PM (GMT-05:00) To: oauth <oauth@ietf.org> Cc: Subject: [OAUTH-WG] user impersonation protocol? We have a case where we want to allow a logged in admin user to impersonate another user so that they can visit differents browser apps as that user (So they can see everything that the user sees through their browser). Anybody know of any protocol work being done here in the OAuth group or some other IETF or even Connect effort that would support something like this? Thanks, Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] user impersonation protocol? Bill Burke
- Re: [OAUTH-WG] user impersonation protocol? Justin Richer
- Re: [OAUTH-WG] user impersonation protocol? Bill Mills
- Re: [OAUTH-WG] user impersonation protocol? Bill Burke
- Re: [OAUTH-WG] user impersonation protocol? Justin Richer
- Re: [OAUTH-WG] user impersonation protocol? Bill Mills
- Re: [OAUTH-WG] user impersonation protocol? William Denniss
- Re: [OAUTH-WG] user impersonation protocol? Bill Mills
- Re: [OAUTH-WG] user impersonation protocol? Mike Jones