3

I need te be able to impersonate a User at the app/client level. The use case is as follow:

  • User decides to publically share a dashboard (contains very frequently refreshed data, custom organisation, ...)
  • User sends a link to someone else (that other person might not be a user of my app). The link contains the Id of the dashboard and some token to prevent people to just try things out.
  • When the receiver browse to thte link we validate that the dashboard exist and that public sharing has been activated as well as the token.
  • Then, based on the dashboard configuration, we need to call our API (with a Bearer token) in order to fetch the most recent data for the dashboard. I would like to have the client app to be able to impersonnate the "owner" of the dashboard in order to be able to call the API on it's name to get the data.

I read other issues/tickets but they all mention a user impersonating another user but I could not find any evidence that it was actually possible to do what I'm looking for.

Could you drive me in the correct direction?

EDIT: I guess it's not useful to say that I don't want the receiver of the dashboard link to see any login screen, that should be completely transparent to him

Georges Legros
  • 2,494
  • 2
  • 23
  • 42

2 Answers2

1

We found a way to achieve what we need.

Based on this post and the sample that is referenced there, we used a CustomGrant validator.

Georges Legros
  • 2,494
  • 2
  • 23
  • 42
0

It sounds like you need a server app to authorize as the owner. On the server you are able to keep a secret for the authorization, but not in the client. Then the server app could have a custom grant client that gets an access token on behalf of the owner, and uses that to call the data API when the dashboard is public.

This is OAuth2.0, btw, and not OIDC.

AndersJH
  • 142
  • 1
  • 7