允许支持者以其他用户身份登录 [英] Allow supporter to sign in as another user
问题描述
我们当前有一个Identity Server 4应用程序.使用实体框架核心和asp .net身份.
We currently have an Identity server 4 application. Using entity framework core and asp .net identity.
我们有一群支持者,他们需要能够访问我们的用户帐户,以便通过电话帮助他们解决问题.我们的用户无法弄清楚如何使用团队查看器.由于它们中的大多数是移动设备,并且当时只有一部手机.
We have a group of supporters who need to be able to access our users accounts in order to help them with issues over the phone. Our users are not able to figure out how to use team viewer. As most of them are mobile and will only have a cellphone at the time.
我知道允许其他人登录您的帐户的所有安全后果,但是实际上没有办法解决.我们的客户已接受我们的支持者可以在其请求时连接到他们的帐户.我们相信,只有在要求时,我们的支持者才会这样做.
I know all the security ramifications of allowing other people to sign into your account however there is really no way around this. Our customers have accepted that our supporters can connect to their account when they request it. We trust that our supporters only do this when its requested.
当前的黑客创建了一个api端点,只有我们的支持者才能使用它,因为它已被锁定,因此只有拥有支持者许可的人才能使用它.他们向用户发送电子邮件,然后我们为他们创建一个访问令牌,然后该访问令牌将由应用程序(网络版本)使用,以使其像遇到问题的用户一样发挥作用.
The current hack creates an api endpoint which only our supporters can use as it has been locked down so that only those with supporter permission can use it. They send the users email and we hack create them an access token which is then used by the application (Web version) to act like its the user who is having issues.
此解决方案是我的前任创建的,基本上是通过获取支持者访问令牌并将所有声明替换为此支持者ID的用户ID,然后将其返回给应用程序.我讨厌这个解决方案,它在很多层面上都是很不稳定的,每当我看到这种方法时就会感到非常不稳定.目前不起作用,因为听众的蛤for由于某种原因不正确.
This solution was created by my predecessor basically by taking the supporters access token and replacing all of the claims with this supporters id to the users id and returning it to the application. I hate this solution on a number of levels and its very unstable every time i look at this method it breaks. currently its not working because audience clams are incorrect for some reason.
我真的很想以一种不太hack的方式做到这一点.那么,是否有一种方法可以使用户登录到该应用程序,而实际上不必由用户来登录并返回访问令牌?
I would really like to do this in a less hack way. So is there a way to sign in a user to the application without it actually being them thats doing the signing in and return an access token?
我尝试做
await _signInManager.SignInAsync(user, false, null);
但是我无法弄清楚如何获取该值以返回访问令牌.
But i cant seam to figure out how to get that to return an access token.
我真正想做的是,支持者可以登录任何一个帐户,但可以安全地进行登录.
What i would really like to do is have the ability for supporters to login to any ones account but do it securely somehow.
推荐答案
用户帐户的问题在于它没有绑定到一个应用程序.因此,通过允许其他人使用该帐户登录,您就可以授予其他人访问其他应用程序的权限.解决方法是,您可以使用公开"帐户,例如engineer_01,engineer_02等.
The problem with the user account is that it's not bound to one application. So by allowing others to login using the account, you give them also access to other applications. As a workaround you could use 'public' accounts, like engineer_01, engineer_02, etc.
但是,这根本没有必要. IMO真正想要的是模拟用户,而不是黑客"帐户.
But, this may not be necessary at all. What you really want IMO is to impersonate the user, instead of 'hacking' the account.
一种方法是使用扩展赠款.
这是如何工作的:
已允许模拟特定客户端/资源的用户的登录用户在新的模拟端点上请求访问令牌.
A signed-in user, who is allowed to impersonate users for the particular client/resource, requests an access token at the new impersonation endpoint.
用户从用户发送sub来模拟到端点,在此验证了用户和(的组合)子.
The user sends the sub from the user to impersonate to the endpoint, where the user and (combination of ) sub are verified.
授予访问权限后,将返回一个新的(短期)访问令牌,该令牌可用于模拟用户,而无需了解用户的凭据.
When access is granted a new (short-lived) access token is returned which can be used to impersonate the user, without having to know the credentials of the user.
访问令牌应包含端点的信息,以便可以确定是否模拟了用户.
The access token should contain information of the endpoint so it can be determined whether the user is impersonated.
这篇关于允许支持者以其他用户身份登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
