Upgraded to Keycloak 16.0 - Impersonation NOT working though KEYCLOAK_IDENTITY and KEYCLOAK_SESSION Created in Cookie

amruthnaveen14 · January 18, 2022, 11:18pm

Please help me on this,

We have upgraded the Keycloak from 3.x to 16.x - when we try to do an impersonation via REST API https://{BASE_URL}/auth/admin/realms/{REALM_NAME}/users/{USER_ID}/impersonation

github.com

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java

/*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.keycloak.services.resources.admin;

import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;

This file has been truncated. show original

This endpoint is creating all required Usersession (UserSessionModel) and creating an LoginCookie createLoginCookie(AuthenticationManager) After redirection, the Keycloak couldn’t able to create an impersonated login session.

Please help me with this. let me know if you need more details.

/**
 * Impersonate the user
 *
 * @return
 */
@Path("impersonation")
@POST
@NoCache
@Produces(MediaType.APPLICATION_JSON)
public Map<String, Object> impersonate() {
    ProfileHelper.requireFeature(Profile.Feature.IMPERSONATION);

    auth.users().requireImpersonate(user);
    RealmModel authenticatedRealm = auth.adminAuth().getRealm();
    // if same realm logout before impersonation
    boolean sameRealm = false;
    String sessionState = auth.adminAuth().getToken().getSessionState();
    if (authenticatedRealm.getId().equals(realm.getId()) && sessionState != null) {
        sameRealm = true;
        UserSessionModel userSession = session.sessions().getUserSession(authenticatedRealm, sessionState);
        AuthenticationManager.expireIdentityCookie(realm, session.getContext().getUri(), clientConnection);
        AuthenticationManager.expireRememberMeCookie(realm, session.getContext().getUri(), clientConnection);
        AuthenticationManager.backchannelLogout(session, authenticatedRealm, userSession, session.getContext().getUri(), clientConnection, headers, true);
    }
    EventBuilder event = new EventBuilder(realm, session, clientConnection);

    UserSessionModel userSession = session.sessions().createUserSession(realm, user, user.getUsername(), clientConnection.getRemoteAddr(), "impersonate", false, null, null);

    UserModel adminUser = auth.adminAuth().getUser();
    String impersonatorId = adminUser.getId();
    String impersonator = adminUser.getUsername();
    userSession.setNote(IMPERSONATOR_ID.toString(), impersonatorId);
    userSession.setNote(IMPERSONATOR_USERNAME.toString(), impersonator);

    AuthenticationManager.createLoginCookie(session, realm, userSession.getUser(), userSession, session.getContext().getUri(), clientConnection);
    URI redirect = AccountFormService.accountServiceBaseUrl(session.getContext().getUri()).build(realm.getName());
    Map<String, Object> result = new HashMap<>();
    result.put("sameRealm", sameRealm);
    result.put("redirect", redirect.toString());
    event.event(EventType.IMPERSONATE)
            .session(userSession)
            .user(user)
            .detail(Details.IMPERSONATOR_REALM, authenticatedRealm.getName())
            .detail(Details.IMPERSONATOR, impersonator).success();

    return result;
}

Topic		Replies	Views
Passing session token generated by impersonate API Getting advice	0	359	September 8, 2020
Keycloak as broker - Token is no longer valid Configuring the server authentication , identity-brokering , oidc	0	541	February 24, 2023
What are the `session` and `session_2` cookies provided by the keycloak OIDC authentication workflow?	0	1773	January 15, 2021
Implementing User-level Impersonation	0	63	March 26, 2024
Keycloak Rest API - Bug with IDP Mapper Creation Getting advice admin-rest	3	182	January 9, 2024

Upgraded to Keycloak 16.0 - Impersonation NOT working though KEYCLOAK_IDENTITY and KEYCLOAK_SESSION Created in Cookie

Related Topics