Authenticating as a Different User
The X-OpenIDM-RunAs
header enables an administrative user to masquerade as a regular user, without needing that user's password. To support this header, you must add a runAsProperties
object to the required authentication module configuration.
The sample authentication.json
file in openidm/samples/example-configurations/conf/runas/
adds support for the header to the INTERNAL_USER
module. This means that users or clients who authenticate using the INTERNAL_USER
module can masquerade as other users.
The runAsProperties
object has the following configuration:
"runAsProperties" : { "adminRoles" : [ "internal/role/openidm-admin" ], "disallowedRunAsRoles" : [ "internal/role/openidm-admin" ], "defaultUserRoles" : [ "internal/role/openidm-authorized" ], "queryId" : "credential-query", "queryOnResource" : "managed/user", "propertyMapping" : { "authenticationId" : "username", "userRoles" : "authzRoles" }, "augmentSecurityContext" : { "type" : "text/javascript", "source" : "require('auth/customAuthz').setProtectedAttributes(security)" } }
This configuration allows a user authenticated with the openidm-admin
role to masquerade as any user except one with the openidm-admin
role.
In the following example, the openidm-admin
user authenticates with the INTERNAL_USER
module, and can run REST calls as user bjensen
without that user's password:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --header "X-OpenIDM-RunAs: bjensen" \ --request GET \ "https://localhost:8443/openidm/info/login"
{ "_id" : "login", "authenticationId" : "bjensen", "authorization" : { "component" : "managed/user", "authLogin" : false, "adminUser" : "openidm-admin", "roles" : [ "internal/role/openidm-authorized" ], "ipAddress" : "127.0.0.1", "protectedAttributeList" : [ "password" ], "id" : "847fe36b-115b-4769-b74a-d546f0d0ffc8", "moduleId" : "INTERNAL_USER" } }
The authentication output shows that the request was made as user bjensen
but with an adminUser
of openidm-admin
. Note that this information is also logged in the authentication audit log.
If you were to actually authenticate as user bjensen
, without the runAs
header, the user is authenticated with the MANAGED_USER
authentication module. The output still shows an authenticationId
of bjensen
but there is no reference to an adminUser
:
curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --request GET \ "https://localhost:8443/openidm/info/login"
{ "_id" : "login", "authenticationId" : "bjensen", "authorization" : { "component" : "managed/user", "authLogin" : false, "roles" : [ "internal/role/openidm-authorized" ], "ipAddress" : "127.0.0.1", "protectedAttributeList" : [ "password" ], "id" : "847fe36b-115b-4769-b74a-d546f0d0ffc8", "moduleId" : "MANAGED_USER" } }