Authenticate as a different user
The X-OpenIDM-RunAs header lets an administrative user masquerade as a regular user, without needing
that user’s password. To support this header, you must add the runAsProperties object to the properties
of your authentication module. For example:
"runAsProperties" : {
"adminRoles" : [
"internal/role/openidm-admin"
],
"disallowedRunAsRoles" : [
"internal/role/openidm-admin"
],
"defaultUserRoles" : [
"internal/role/openidm-authorized"
],
"queryId" : "credential-query",
"queryOnResource" : "managed/user",
"propertyMapping" : {
"authenticationId" : "username",
"userRoles" : "authzRoles"
},
"augmentSecurityContext" : {
"type" : "text/javascript",
"source" : "require('auth/customAuthz').setProtectedAttributes(security)"
}
}This configuration lets a user who authenticates with the openidm-admin role masquerade as any user
except one with the openidm-admin role.
If you are adding this configuration to the STATIC_USER module, and you are using Delegated administration,
you must add an additional propertyMapping to the properties of the authentication module. This mapping forces
the privileges to be re-read into the security context when the session JWT is used on subsequent requests. For example:
"propertyMapping" : {
"authenticationId" : "username"
}The sample authentication.json file in openidm/samples/example-configurations/conf/runas/ adds the
runAsProperties object to the STATIC_USER module. Users or clients who authenticate with this module can
then masquerade as other users.
In the following example, the openidm-admin user authenticates with the STATIC_USER module, and can run
REST calls as user bjensen without that user’s password:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--header "X-OpenIDM-RunAs: bjensen" \
--request GET \
"http://localhost:8080/openidm/info/login"
{
"_id": "login",
"authenticationId": "bjensen",
"authorization": {
"userRolesProperty": "authzRoles",
"component": "managed/user",
"authLogin": false,
"adminUser": "openidm-admin",
"roles": [
"internal/role/openidm-authorized"
],
"ipAddress": "[0:0:0:0:0:0:0:1]",
"authenticationId": "openidm-admin",
"protectedAttributeList": [
"password"
],
"id": "bjensen",
"moduleId": "STATIC_USER",
"queryId": "credential-query"
}
}
The authentication output shows that the request was made as user bjensen but with an adminUser of
openidm-admin. This information is also logged in the authentication audit log.
If you were to actually authenticate as user bjensen, without the runAs header, the user is authenticated with the MANAGED_USER authentication module. The output still shows an authenticationId of bjensen but there is no reference to an adminUser:
curl \
--header "X-OpenIDM-Username: bjensen" \
--header "X-OpenIDM-Password: Passw0rd" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
"http://localhost:8080/openidm/info/login"
{
"_id": "login",
"authenticationId": "bjensen",
"authorization": {
"userRolesProperty": "authzRoles",
"component": "managed/user",
"authLogin": false,
"authenticationIdProperty": "username",
"roles": [
"internal/role/openidm-authorized"
],
"ipAddress": "[0:0:0:0:0:0:0:1]",
"authenticationId": "bjensen",
"protectedAttributeList": [
"password"
],
"id": "bjensen",
"moduleId": "MANAGED_USER",
"queryId": "credential-query"
}
}