I am new to AEM. I was going through the impersonating functionality in useradmin.
CQ documentation on impersonation
as per my understanding , impersonation can be done user to user. if there any way user can impersonate group i.e. if user-A can directly impersonate group-A with 5 user. As it would be really difficult for admin to impersonate every new user.
Please suggest
Related
We want to use Microsoft Graph for retrieving Business to Consumer (B2C) tenant users details in our code.
GET https://graph.microsoft.com/v1.0/users
It is giving only normal tenant users.
But we want to get all users signed up using sign up and sign in flows along with their usernames.
There is no proper documentation regarding this. Can someone with domain knowledge help us how to achieve this?
If not possible, CLI/powershell also satisfies our requirements.
Please help 🙏
I believe you're running into the limitation described in the note here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations#how-to-programmatically-manage-microsoft-graph
Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.
Notice how you can't grant a delegated permission (for instance User.Read) to a B2C App Registration the way you can to a "normal" Azure AD App Registration. But - you can grant an application permission (like User.Read.All) to your application.
This means you'll have to submit the Graph API request using an auth token granted to your application, not to the user.
I am currently trying to set up keycloak for a production scenario in which I have different contexts, each with users and admins. The admin should only be able to impersonate users from his context.
Giving an admin permission in the form of permissions to impersonate all users is not a problem. but how can I solve the above task? Can one of keycloak built in concepts (groups, roles, realms, scopes etc.) help me?
You have to enable --features=admin-fine-grained-authz and then.
Put your users into a group.
Create another user and grant this user "query-groups" and
"impersonation" roles (from the "realm-management" or "master-realm"
client, depending on the realm).
Go to your group, enable permissions, open "view" permission, and add a
user policy to allow the user to view a group, then repeat for "view-members" permission.
FInd more details here
and here
I deploy a Keycloak-Instance. A requirement is for the Helpdesk to be able to impersonate users.
There is a impersonation-button in the Admin-GUI, great. But the Impersonation-Button gets me access_token for the account-console. I need token for other Clients. Is there a way of "Log into App X as User Y with Using my Admin-Permissions"?
The Impersonation-Endpoint seems not to provide a feature to specify the app to impersonate (https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_impersonate).
EDIT: I'm sorry, it was caused by a bug on my side! Make sure that you aren't logged in in any other app in the realm and that you also don't trigger the logout-function of any app after pressing Impersonate! (or otherwise you have to redo everything)
Thanks in advance!
Impersonation in keycloak is realm level. The access_token that you got from impersonate button is not limited to account-console, it can be used by other clients(or applications) from same realm. Try accessing any other application/client from same realm. You should be able to directly access that application.
If you want to limit impersonation to specific client then you have to extend the Authenticator and implement logic yourself.
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs. The best option for me:
New user register, but his account is unavailable.
When ADMIN accept this new account, user can log in.
Is it possible do it in keycloak ? Or any similar solution ?
Sure you can do it. The easiest way is to give a default role to newly registred users. The default role would give only minimal privileges. Then ADMIN can promote the user to the more appropriate group or role.
Probably to "automate" or smoothen the second part of this flow you might need some flow customization. Cf. https://www.keycloak.org/docs/latest/server_development/#required-action-walkthrough and related.
Another solution is to give to the default minimal role the possibility to request acceptation, or make the request automatically at first logging (eg. mail sent to ADMIN).
EDIT
Programmatically it is also possible to make calls to the Keycloak Admin API (through native Admin Client). For example, you can write some logic (and associated UI or whatever) that will assign or remove groups from a user.
See. Admin REST API
I have read the issues about impersonation, and from what i could find so far it can be achieved. I'm not sure tho if the following could be done using it.
A user doesn't have permission to do a certain operation, but it can be done if a supervisor grant him access.
The grant would be only for that operation/request.
is this something that can be done using impersonation, or there is a better approach for this?
Thanks in advance.
Quick brain dump of what you could do: You would have to implement this yourself in the user service in IdentityServer. One approach is to pass a custom param in the acr_values from the client with the ID of the user you want to impersonate (you will also have to pass prompt=login to force the request to go to the login workflow and thus the user service). In your user service implementation in PreAuthenticate you can check if the user is already authenticated, the custom acr_values is present, and the user is allowed to impersonate the user being requested. You'd then assign the AuthenticateResult on the context with the identity of the new user. This short circuits the login process and will return back to the authorization endpoint, and then back to your client app.