Authenticating as a Different User

The X-OpenIDM-RunAs header enables an administrative user to masquerade as a regular user, without needing that user's password. To support this header, you must add a runAsProperties object to the required authentication module configuration.

The sample authentication.json file in openidm/samples/example-configurations/conf/runas/ adds support for the header to the INTERNAL_USER module. This means that users or clients who authenticate using the INTERNAL_USER module can masquerade as other users.

The runAsProperties object has the following configuration:

"runAsProperties" : {
    "adminRoles" : [
        "internal/role/openidm-admin"
    ],
    "disallowedRunAsRoles" : [
        "internal/role/openidm-admin"
    ],
    "defaultUserRoles" : [
        "internal/role/openidm-authorized"
    ],
    "queryId" : "credential-query",
    "queryOnResource" : "managed/user",
    "propertyMapping" : {
        "authenticationId" : "username",
        "userRoles" : "authzRoles"
    },
    "augmentSecurityContext" : {
        "type" : "text/javascript",
        "source" : "require('auth/customAuthz').setProtectedAttributes(security)"
    }
}

This configuration allows a user authenticated with the openidm-admin role to masquerade as any user except one with the openidm-admin role.

In the following example, the openidm-admin user authenticates with the INTERNAL_USER module, and can run REST calls as user bjensen without that user's password:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--cacert ca-cert.pem \
--header "X-OpenIDM-RunAs: bjensen" \
--request GET \
"https://localhost:8443/openidm/info/login"
{
  "_id" : "login",
  "authenticationId" : "bjensen",
  "authorization" : {
    "component" : "managed/user",
    "authLogin" : false,
    "adminUser" : "openidm-admin",
    "roles" : [ "internal/role/openidm-authorized" ],
    "ipAddress" : "127.0.0.1",
    "protectedAttributeList" : [ "password" ],
    "id" : "847fe36b-115b-4769-b74a-d546f0d0ffc8",
    "moduleId" : "INTERNAL_USER"
  }
}

The authentication output shows that the request was made as user bjensen but with an adminUser of openidm-admin. Note that this information is also logged in the authentication audit log.

If you were to actually authenticate as user bjensen, without the runAs header, the user is authenticated with the MANAGED_USER authentication module. The output still shows an authenticationId of bjensen but there is no reference to an adminUser:

curl \
--header "X-OpenIDM-Username: bjensen" \
--header "X-OpenIDM-Password: Passw0rd" \
--header "Accept-API-Version: resource=1.0" \
--cacert ca-cert.pem \
--request GET \
"https://localhost:8443/openidm/info/login"
{
  "_id" : "login",
  "authenticationId" : "bjensen",
  "authorization" : {
    "component" : "managed/user",
    "authLogin" : false,
    "roles" : [ "internal/role/openidm-authorized" ],
    "ipAddress" : "127.0.0.1",
    "protectedAttributeList" : [ "password" ],
    "id" : "847fe36b-115b-4769-b74a-d546f0d0ffc8",
    "moduleId" : "MANAGED_USER"
  }
}
Read a different version of :