Re: [OAUTH-WG] user impersonation protocol?

Bill Mills <> Mon, 16 February 2015 05:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E92631A8739 for <>; Sun, 15 Feb 2015 21:37:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uqOW9AJXS1qX for <>; Sun, 15 Feb 2015 21:37:42 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 330591A8734 for <>; Sun, 15 Feb 2015 21:37:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1424065061; bh=8/tFraacyNhiBHIuySDsCSC9oqduSJ7knTcbXgBDqlo=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=N17fbgASU9xC1qJQ2fdoLnY352ex++523WcwXDZqCxWBiG7rPzCMTms0u9h5CStlZ0PbanpTVGE7tlJmyyWnH1tZM0F7Rl6PTB6wjyLW941OtjD5x1HX+Jz+uSCxFMZIV0t33CGD/4cD+RUz0pydsLpUsbhAMHVdL9DHNkD0ZanNJF5oJHzm5YBdyVe4r1uZq+EuGXXJh/sdtY/tYLRa/KeCRlNkeNdfLhuBK6a32/LGfy4WVLW8shy9YTVbnt92YQQhhMX9MOx57PCkzVZFQsOWgRE+NK48PW0zprzsHV7MP8c9pZpXvwmZLPhnAyovrp+JKlK4aSIZor2AL8qFuw==
Received: from [] by with NNFMP; 16 Feb 2015 05:37:41 -0000
Received: from [] by with NNFMP; 16 Feb 2015 05:37:41 -0000
Received: from [] by with NNFMP; 16 Feb 2015 05:37:41 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: reAsBGMVM1lUi.18xmP7DLTyddm6Lo4CFqu_IoCDV4Uqy5ZiVJmo3Z8gSebGLCN nWVv4N_iKXx7XS2PCE6WfFaDEfnt_mOrEzSA0kQsgGQo.a4csqeVCTv4xTSGWlNxaz1DK83oPgGX uJ9im6UsQM0.d29_Wp1CdGlMwxB6DOQpLpfWXbMu2W4Ke4LStTRrirzoffTqgNaxOa33O04WP_X4 VRKNVmru2zvrr_ABraBWFBO9kYewnWRp8yUwH3BEd3QBtOlSHE4XjdE2rRKwcByGckBYbingAYgm 0gNb0R8CfxpNbykEotAg7w8YP378gSLyVMFFirCjNZQz_s4l4YfZU6iy0XM3VtTHHltmH_8z5hlm 2SrM_1B0CQ4TVM8XvMRexYq0z72j3OsK7mvdH.iefnArZqiHfCkf5q5zUae35E2hjt0NAf5F7pmp 6SbJzWyk7rRwWPOqrprTxT1yOwcz6Rg7RBB7azgjcAwkbKQPLKAjkXFKfHEiN90eYqFB1zySaSMl SpbjN2C2rMTSHB2hHlO_LqnX0Ck1u_9cJXyOAC.M6LX15EorFfutJPxKUcsUGiRUgg96hEajrBhj _FBho7C6hkc0m3UQmhnuBcR.71pASVxJKYTBG3.BD
Received: by; Mon, 16 Feb 2015 05:37:40 +0000
Date: Mon, 16 Feb 2015 05:37:40 +0000
From: Bill Mills <>
To: Justin Richer <>, Bill Burke <>, oauth <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_6689292_731674102.1424065060476"
Archived-At: <>
Subject: Re: [OAUTH-WG] user impersonation protocol?
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Feb 2015 05:37:44 -0000

User impersonation is very very risky.  The legal aspects of it must be considered.  There's a lot of work to do to make it safe/effective.
Issuing a scoped token that allows ready only access can work with the above caveats.  Then properties/componenets have to explicitly support the new scope and do the right thing. 

     On Sunday, February 15, 2015 8:34 PM, Justin Richer <> wrote:

 For this case you'd want to be very careful about who was able to do such impersonation, obviously, but it's doable today with custom IdP behavior. You can simply use OpenID Connect and have the IdP issue an id token for the target user instead of the "actual" current user account. 
I would also suggest considering adding a custom claim to the id token to indicate this is taking place. That way you can differentiate where needed, including in logs.
-- Justin
/ Sent from my phone /

-------- Original message --------
From: Bill Burke <> 
Date:02/15/2015 10:55 PM (GMT-05:00) 
To: oauth <> 
Subject: [OAUTH-WG] user impersonation protocol? 

We have a case where we want to allow a logged in admin user to 
impersonate another user so that they can visit differents browser apps 
as that user (So they can see everything that the user sees through 
their browser).

Anybody know of any protocol work being done here in the OAuth group or 
some other IETF or even Connect effort that would support something like 



Bill Burke
JBoss, a division of Red Hat

OAuth mailing list

OAuth mailing list