Does the ForgeRock solution support secure impersonation?
Several methods are available for achieving secure impersonation in the ForgeRock solution. These include: OAuth 2.0 token exchange, Client Initiated Backchannel Authentication (CIBA), and changing a session's user ID.
Overview
Methods for achieving impersonation with the ForgeRock solution include:
- OAuth 2.0 token exchange
- Client Initiated Backchannel Authentication (CIBA)
- Changing a session's user ID
OAuth 2.0 token exchange
ForgeRock supports impersonation through its implementation of OAuth 2.0 Token Exchange (RFC 8693). With this implementation, a client performs an action on behalf of the user in an environment where there is no need to keep a separation between the user and the client. For example, a user completes a money transfer by logging in to their bank application and trusting the application to act on their behalf to access the internal banking system and perform the transaction.
See Token exchange (Identity Cloud) and OAuth 2.0 token exchange (AM) for further information.
Client Initiated Backchannel Authentication (CIBA)
Impersonation can be achieved through a Client Initiated Backchannel Authentication (CIBA) flow. A CIBA flow allows a client application to obtain authentication and consent from a user without requiring the user to interact with it directly.
See Backchannel request grant (Identity Cloud) and Backchannel request grant (AM) for further information.
Changing a session's user ID
Another impersonation method supported by ForgeRock involves changing the session's username (user ID) to the impersonated user during the authentication journey. With the Impersonate node, available on the ForgeRock Marketplace, you can quickly, easily and securely integrate this capability into an Intelligent Access user journey.
Alternatively, the primary user can remain logged in, and a custom authentication node can be used to augment the user session with the username of the impersonated user. With this method, either the protected application must be altered to use the impersonated ID field or, if ForgeRock Identity Gateway (IG) can be deployed, an IG filter can replace the credentials during the resource access request.
Note
See Also
Token Exchange Impersonation (Cloud Learning video)