Impersonation with Identity Server 4

[michelevirgilio]

Hi, i'm trying to implement an impersonation feature on Identity Server 4. The main idea is, for allowed users (for example admins):

1. The angular app calls a protected endpoint on Api, for example Impersonate(int impersonateUserId)
2. This endpoint requests a new Token to IS using RequestTokenAsync method of IdentityModel
3. IS emits the new token with some custom claims inside it, for example ImpersonateUserId
4. The endpoint returns the new issued token to angular app

These steps works fine, but after these i would to use this new Token, replacing the old one, forcing the angular app to use this token for subsequent requests, including the silent refresh, but i cannot make it work.

I've tried to replace tokens in OAuthStorage:

    this.authStorage.setItem('access_token', token.accessToken);
    this.authStorage.setItem('refresh_token', token.refreshToken);

But for sure i'm missing something. Any help? Thank you very much.

[jeroenheijmans]

Oohh, I think you're relying on internals of the service to get what you need. Reasonable, but probably fragile. Things like expiry check, nonces, and other stuff might break if you do this :) just beware. There's no real supported way to tell the library "use this other token instead", for one because you then potentially go outside the OAuth2/OIDC spec the lib tries to comply with. The OAuthStorage interface is mainly there to allow you to customize persistence.

That said, I would have expected it to work. You'll have to dive into the code to see why it doesn't I'm afraid?

On a side note, isn't "Impersonation" some kind of (recent) spec / RFC? We could consider including support if it serves a wide enough audience?

[ayyash]

Any updates on this one? or any help? After impersonation, any call to "loadUserProfile" to get custom claims, fails and logs user out. Is there another way?