8000 Implement a new impersonation flow that uses action tokens by twobiers · Pull Request #40767 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Implement a new impersonation flow that uses action tokens #40767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Implement a new impersonation flow that uses action tokens #40767

wants to merge 6 commits into from
+535 −219

Conversation

twobiers
Copy link
Contributor

This PR implements a new flow impersonation flow that uses action tokens.

Previously, the impersonation endpoint immediately creates an identity cookie and returns that to the Browser. This has a couple of downsides:

  1. It's not possible to impersonate a user using the Admin UI when it is served from a different hostname due to 3rd-Party Cookie restrictions
  2. It becomes hard to integrate with the Admin APIs impersonation endpoint as it assumes the Endpoint is called from a browser

In this implementation with action tokens, the impersonation will happen once the returned redirect URI is opened in a browser, removing the limitations.

Fixes #10655

@twobiers twobiers requested review from a team as code owners June 27, 2025 18:54
@twobiers
Implement a new impersonation flow that uses action tokens
f060d4c 
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
@twobiers twobiers force-pushed the impersonation-action-token branch from 5d9238a to 684fe84 Compare June 27, 2025 19:26
@twobiers twobiers requested review from a team as code owners June 27, 2025 19:26
twobiers added 2 commits June 27, 2025 21:27
@twobiers
Add redirection to SAMLServletAdapterTest for successful impersonation
1545f57 
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
@twobiers
Add impersonator realm to token and event
4d22240 
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
@twobiers twobiers force-pushed the impersonation-action-token branch from 684fe84 to 4d22240 Compare June 27, 2025 19:27
@twobiers
Remove unnecessary assertion in SAMLServletAdapterTest
eda8bc7 
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
@ahus1 ahus1 marked this pull request as draft July 1, 2025 15:16
@ahus1
Copy link
Contributor
ahus1 commented Jul 1, 2025

I'm switching this PR to draft while the build is failing to allow maintainers to unsubscribe. Please ping individual maintainer (including me) if you need help.

@twobiers twobiers force-pushed the impersonation-action-token branch from 5811d25 to 9599fb5 Compare July 1, 2025 15:17
@twobiers
Ensure Impersonation token is only used a single time
2e74209 
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
@twobiers twobiers force-pushed the impersonation-action-token branch from 9599fb5 to 2e74209 Compare July 1, 2025 15:18
@twobiers
Fix second request invocation
a8b6c03 
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Jul 1, 2025
Open
@twobiers
Copy link
Contributor Author
twobiers commented Jul 1, 2025

Thanks and sorry for notification spam, I didn't think about that. Will try to remember that.

Anyway, I should be done by now and am happy to receive feedback.

@twobiers twobiers marked this pull request as ready for review July 1, 2025 16:23
bamancio-futura
bamancio-futura reviewed Jul 2, 2025
View reviewed changes
services/src/main/java/org/keycloak/authentication/actiontoken/ActionTokenHandler.java
@@ -116,4 +116,11 @@ default Predicate<? super T>[] getVerifiers(ActionTokenContext<T> tokenContext)
* @return see above
*/
boolean canUseTokenRepeatedly(T token, ActionTokenContext<T> tokenContext);

/**
* Returns {@code true} when a validity check needs to be beformed before invoking the action, {@code false} when
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"beformed" -> "performed"

bamancio-futura
bamancio-futura reviewed Jul 2, 2025
View reviewed changes
themes/src/main/resources/theme/base/login/messages/messages_en.properties
@@ -28,6 +28,7 @@ loginTitle=Sign in to {0}
loginTitleHtml={0}
impersonateTitle={0} Impersonate User
impersonateTitleHtml=<strong>{0}</strong> Impersonate User
impersonateError=Error happend while impersonating user
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"happend" -> "happened"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bamancio-futura bamancio-futura bamancio-futura left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
flaky-test team/cloud-native team/core-clients team/core-iam team/ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Impersonate does not work with separate admin hostname
3 participants
@twobiers @ahus1 @bamancio-futura
0