IdentityServer4-如何实现模拟 [英] IdentityServer4 - How to Implement Impersonation
问题描述
我要求允许我们的内部支持用户冒充我们的客户用户.
I have a requirement of allowing our internal support users to impersonate our customer users.
我目前正在使用IdentityServer4,隐式流和OIDC客户端.
I'm currently using IdentityServer4, Implicit Flow and OIDC Client.
到目前为止找到的资源.
Resources found so far.
Generate access token with IdentityServer4 without password
鉴于在线资源有限,是否有关于如何/应该使用IdentityServer4实现模拟的建议?
Given that there are limited resources online, are there any suggestions on how I can/should implement impersonation with IdentityServer4?
推荐答案
操作方法
IdentityServer4没有规定任何身份验证提供程序.对于其他OIDC客户,它本身就是一个.这就是为什么您可以使用第三方登录提供程序,本地帐户以及其他任何原因的原因.
How to do this
IdentityServer4 does not prescribe any authentication providers. It just acts as one itself for other OIDC clients. That's why you can use third-party login providers, local accounts and whatever else.
在您的IdentityServer中创建一个ImpersonationController. 确保只有您的管理员才能访问此页面.
Create an ImpersonationController in your IdentityServer. Make sure, that only your administrators can access this page.
[Authorize(Policy = "CanImpersonate")]
建立一个页面,您可以在其中输入管理员要模拟的用户ID.
使用所需的用户ID发布该表单时,请使用SignInManager<>类登录当前用户.
Build a page, in which you can input a User ID, that the admin wants to impersonate.
When posting that form with the intended User ID, use the SignInManager<> class to Sign in the current user.
您甚至可以构建一个下拉列表,以模拟您想使用的外部登录提供程序(如果这对您很重要).
使用ExternalLoginSignInAsync方法,否则使用普通的SignInAsync(user, false)方法.
You can even build a dropdown, what external login provider you'd like to impersonate with, if that is importatant to you.
Use the ExternalLoginSignInAsync method, otherwise the plain SignInAsync(user, false) method.
然后,您已经以该用户身份在Identity Server上登录.当您的客户端应用程序请求登录时,IdentityServer将注意到您的伪造"会话,并将立即使用您当前登录的帐户重定向回客户端.
You are then already signed in as that user on Identity Server. When your client applications request sign-in, IdentityServer will notice your "forged" session and will redirect back to the client immediately with your currently signed in account.
您现在在客户端应用程序和IdentityServer中模拟该用户.
You are now impersonating that user in your client application and on IdentityServer.
如果您在IdentityServer上注销,则将再次提升"到您以前登录的帐户(如果仍以其他身份登录),或者需要再次以实际的管理员帐户登录.
If you SignOut on IdentityServer, you will be "promoted" again to your previously logged in account (if still signed in as different identity), or will need to sign in as your actual administrator account again.
这显然是一个有争议的话题.我假设您想添加此功能,以便可以重现用户问题或以用户身份执行某些操作.
This is obviously a topic for debate. I'm assuming you want to add this feature, so that you can reproduce user issues, or do some action as the user.
如果您在用户不知情的情况下执行此操作,请特别注意模拟过程中执行的任何操作的副作用.是发送电子邮件还是类似的通知.
If you do this without users knowing, be very careful about side-effects of whatever actions are done during the impersonation. Are E-Mails sent, or similar notifications.
沿着这条路线失去很多信任.
There is a lot of trust to be lost going this route.
这也是对隐私的关注.谁能够访问详细信息.当在您的平台上模拟用户时,会显示什么详细信息.
This is also a concern for privacy. Who is able to access the details. What details are revealed, when impersonating a user on your platform.
不要假冒用户.
以一种受控的方式实施,您的管理员可以执行所需的工作.然后,您将获得一个一致的审核日志,并且无论登录用户对系统执行什么操作,都可以确保它是该用户,而不是管理员模拟该帐户.
Implement a controlled way, in which your administrators can perform the required work. Then you have a consistant audit log, and whatever a signed in user does to your system, you can be sure that it was that user, and not your administrator impersonating that account.
这篇关于IdentityServer4-如何实现模拟的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
