Re: [OAUTH-WG] user impersonation protocol?

Bill Mills <> Mon, 16 February 2015 21:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7434F1A6F10 for <>; Mon, 16 Feb 2015 13:51:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HvH4---N4zzo for <>; Mon, 16 Feb 2015 13:51:38 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 383201A0154 for <>; Mon, 16 Feb 2015 13:51:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1424121635; bh=4TSabegPr2g2mwvufgoE3+3cg+ChHrAfZ99PqAWD8Jw=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=XbURST9QgKI3ECE49kDfxD/rftYj1iNgjnojtSur1lArX4dL3qGLbYym6hxB/oNbDvZubqYU9HqRfVha9rDel57rEJEa5pqQEZ1ycYFsNO4s4zaQVz9fheaWw251NlUJfkZCs5Lq75T5l2Pan6igg2PVMS2tjXSpgrOmQLe30S7pNrgbBAvg2NuCSjyq4J1fACyMlDNpK2+ANJaw7MkASlkbBz33VZUbLfF27icyuFVjbrnlWUNyHxJsUtMK4JoRb5A0GTJ8fQ9QMkVkvrfEgqrNe5P4YbjUXctb/0oOszPcXUPDh5Yu8F+/rIEWUmd8hXZQpWDdsIW+zVxiArkrVw==
Received: from [] by with NNFMP; 16 Feb 2015 21:20:35 -0000
Received: from [] by with NNFMP; 16 Feb 2015 21:20:35 -0000
Received: from [] by with NNFMP; 16 Feb 2015 21:20:35 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: iRwGSwIVM1l5jj1UXV7LZTRYPkr97Md9bJOHCg2blz0IT3u2n440xKdUrT_xrPf airdTsWSNfSTfhpcaZpXXC9RhOsa4rE5TZGLysPtSy8ryXTG.zQD4woJj1iCreeeyuZd1tR1tvOl V07Sr.p3izI_o9bXKro2VEHYv7LV.eK3B4f508HClQGJtlCj.ba8R2eA.5qNUZXoRNb5LsZeklOe YGtLyXDmCzro6e54c1yVh50Oe0Z5ZqI7WbKrz4SCrSzQAW5eXLEePVBWoHGcbV9dqhrrmMFeDgqU y07TReKlAmB01OCm8.rC9NUX66GjDWJeFdGXTDDYhd6KtLIy3f0xp0m_MsqHiHT0IEyJGSR1wP56 a3qrm8NTeT83St3L7HPvJDSHPoA_1eLsJpuNyYedPudLhOT6JzCfKGIuhQr3qmZ5gR_0wQJ2uP7K m0NITWU6_.hPJbfAVHmfmFDzHpvZlnPpNViadjCZbSAXDMqyOx0u2ryow3h3uP6PUyeGePQ8.Z2z yqjNvaMxh5rm89l6UKjpMZ6BUK5lD9SNtop.KqLUSg6W1ssl1x7SMQxxzgP4XW8YhfPHVtDXIOJG kIAWRb.qmc8zKvypPX4n6fTGWBqbC1pljU3yfg.SXyjtj5fh0dgOPDTVuG7ZEpEyjAQ9k5wmlEpb xU3eFVRWRsVVREQbKMGO9V0WP8IxvMi4zeYGCnb5sZ89fndbbww--
Received: by; Mon, 16 Feb 2015 21:20:35 +0000
Date: Mon, 16 Feb 2015 21:20:34 +0000
From: Bill Mills <>
To: William Denniss <>, Justin Richer <>, Bill Burke <>, oauth <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_7820861_909648758.1424121634776"
Archived-At: <>
Subject: Re: [OAUTH-WG] user impersonation protocol?
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Feb 2015 21:51:40 -0000

Straight impersonation with no limitations isn't a good solution in the long run. 

     On Monday, February 16, 2015 1:13 PM, William Denniss <> wrote:

 I led a discussion on a related topic at a recent IIW (specifically exploring the "account sharing" use case), the notes are here:  It was an interesting discussion, the whole topic of impersonation certainly raises a lot of policy questions.
As for the technical implementation, our conclusion was that the simplest approach for impersonation would be to continue to supply an ID Token for the target user (i.e. 'sub' represents the user being impersonated), and add an additional JWT claim for the user doing the impersonation (e.g. 'ipb' meaning "impersonated by").
Thus, any relying party who doesn't understand this claim continues to work as before (oblivious to the fact the user is being impersonated), and those who understand the claim and care about impersonation can take action (e.g. log a better audit trail, limit some functionality or outright block the behavior).
If this approach sounds interesting to you, perhaps we could formally register & standardise the 'ipb' claim.  Of course, anyone can use this technique today via a private claim.

On Mon Feb 16 2015 at 7:36:23 AM Justin Richer <> wrote:

Another question is whether or not you can user rights delegation (ie vanilla OAuth) or if you really do need impersonation. You may be able to get the desired results with less complexity that way.

-- Justin
/ Sent from my phone /

-------- Original message --------
From: Bill Burke <> 
Date:02/16/2015 10:20 AM (GMT-05:00) 
To: Bill Mills <>, Justin Richer <>, oauth <> 
Subject: Re: [OAUTH-WG] user impersonation protocol? 

Yeah, I know its risky, but that's the requirement.  Was just wondering 
if there was any protocol work being done around it, so that we could 
avoid doing a lot of the legwork to make it safe/effective.  Currently 
for us, we need to do this between two separate IDPs, which is where the 
protocol work comes in...If it was just a single IDP managing 
everything, then it would just be an internal custom IDP feature.

Thanks all.

On 2/16/2015 12:37 AM, Bill Mills wrote:
> User impersonation is very very risky.  The legal aspects of it must be
> considered.  There's a lot of work to do to make it safe/effective.
> Issuing a scoped token that allows ready only access can work with the
> above caveats.  Then properties/componenets have to explicitly support
> the new scope and do the right thing.
> On Sunday, February 15, 2015 8:34 PM, Justin Richer <> wrote:
> For this case you'd want to be very careful about who was able to do
> such impersonation, obviously, but it's doable today with custom IdP
> behavior. You can simply use OpenID Connect and have the IdP issue an id
> token for the target user instead of the "actual" current user account.
> I would also suggest considering adding a custom claim to the id token
> to indicate this is taking place. That way you can differentiate where
> needed, including in logs.
> -- Justin
> / Sent from my phone /
> -------- Original message --------
> From: Bill Burke <>
> Date:02/15/2015 10:55 PM (GMT-05:00)
> To: oauth <>
> Cc:
> Subject: [OAUTH-WG] user impersonation protocol?
> We have a case where we want to allow a logged in admin user to
> impersonate another user so that they can visit differents browser apps
> as that user (So they can see everything that the user sees through
> their browser).
> Anybody know of any protocol work being done here in the OAuth group or
> some other IETF or even Connect effort that would support something like
> this?
> Thanks,
> Bill
> --
> Bill Burke
> JBoss, a division of Red Hat
> _______________________________________________
> OAuth mailing list
> _______________________________________________
> OAuth mailing list
> <>

Bill Burke
JBoss, a division of Red Hat
OAuth mailing list