Support identity impersonation #201
Comments
|
Thank you for sharing this idea. This is a tricky area because impersonation can easily lead to privilege escalation and other attack vectors. ORY Kratos does not know who has what rights so it can not distinguish if the user being impersonated has more access privileges than the one that's performing the impersonation. A threat agent (could be a disgruntled employee) might be able to abuse impersonation to do serious harm. This also rings true if the threat agent does indeed have privileged access anyways but wants to impersonate another user to perform abusive action in their name. While audit logs are useful after the fact, they usually lack to track all of the things the person could have done (e.g. setting up a rootkit on a VM). In general I don't think it's a good idea to issue credentials on behalf of another user without their explicit consent not only on the authentication itself but also on the scope. What we might be able to do is to use a "Device OAuth2 Flow" (think Amazon FireStick) where one party explicitly confirms (a) authentication and (b) scope and (c) access duration and (d) is able to revoke the authorization. I also think that it is very important to mark impersonated tokens (if issued...) as such. This allows backends to reject impersonated tokens for sensitive operations.
That's more than not really nice, it's the worst that can happen to any IT security, an absolute nightmare and never to be done ever! |
Or it can also be seen as feature, I in fact find impersonation as a basic feature an identity infrastructure service should provide because it enables interesting other use cases. But yes, I am not sure how can a service like ORY Kratos figure permissions out, but maybe it can just delegate to the app to allow or deny the request? And then the app can do this with some policy, or with a prompt to the user, or whatever?
I agree. The default fields in the token should be standard, but then additional fields could explain who is in fact behind the token. And then apps can or deny, log, or even display it to other users ( |
|
Thank you for the quick reply. Regarding use cases, I think t his should be based on demand and not "could be useful" :) Impersonation is very dangerous, and adding it needs to be rooted in a concrete and useful way that can not be achieved otherwise, specifically:
In summary, none of the use cases convince me to introduce such a dangerous feature.
In fact, I think it should be the other way around. The primary user identifier of the session is the admin, and there is an additional field |
Thank you for even quicker reply. Given that this is labelled with
I see it on other hand as a basic security primitive. Which of course has to be implemented well (both from security and UI/UX perspective). SETUID bit is an example of an implementation of this primitive, and of course it can be misused, but it is also very understood. Having SETUID for web applications seems as evolution of the primitive.
Please see some of reasons to have support impersonation here.
I know that I read somewhere in documentation what Ory does this (if user first logs with one account and then another and then figure that they are the same), but I cannot find it now. So without knowing details how Ory does this, without support for impersonation target app has a problem: what if both accounts A and B created some content, and that content has userId stored alongside the content. When you merge A and B, what do you do about those userIds? With impersonation support, you can leave them as-is, only you augment stored data to add that user B impersonated user A during that time, linking them together.
But I want users to have only one username/password. And see from one dashboard all their profiles. Not that they have to logout and login. That was so much pain with Twitter if you wanted to use multiple accounts there. They finally added support for that.
So I do not explain this feature in detail there, but in my view anonymous use requires a balance. App might dislike anonymous users because it requires to know who is who, for example, an online voting app. On the other hand, anonymous contributions even in context of a voting app could be useful so that people can anonymously raise comments during voting. But then, those comments might be moderated and moderators might want to ban a particular person (and not just their anonymous identity). So in my view it is important that app can or a) get information about impersonation b) or get a pointer to where it can get this information. Anonymous users would be in the category b), and if moderator wants to deanonymize the comment to be able to ban it, it would have to follow the pointer to the identity service which would provide then this information (if moderator has permission to do so), but the fact of deanonymization would be logged. Other users would then be able to decide if moderator overstepped or not their role, and most importantly, the anonymous user would be informed that they were deanonymized. So this is the flow I am trying to implement. Of course there might be other ways to achieve anonymization, but generally they are already available (simply registering a new account and things like that). So here the idea is how to provide support for a responsible anonymization.
I understand your position, but I disagree. This is like saying that BTW, I completely agree that user has to be able to give consent for impersonation to happens in the support impersonation use case. But in my view this is separate from the security primitive of impersonation itself. When you call |
You probably mean
Ory is a conglomerate of several applications that solve very clear-cut problems (e.g. OAuth2). OR Kratos - which isn't even officially released yet - solves login and would solve account switching in the future.
Right, that would be "linking" two accounts though, not impersonation. I believe that we could achieve that in Kratos. Linking requires consent (and proof of identity) from both parties.
No one is anonymous on the internet, but the general use case would be for the site admin to decide. They can either use temporary profiles or not :)
PHP shows all error messages per default. This is very useful for debugging. When you go into a production environment, you sometimes forget to set everything so that it's production ready and just copy the already working (sometimes hard to get to work) config files. Now, when your database goes down, PHP shows (or used to show) the host, username, and password in clear text to help you debug. What a nightmare for small site operators! Ory's philosophy is to make insecure things hard and being secure easy. That's why we focus so heavily on this space. I understand the "hey I really want this feature and as easy as possible" but we have to thing about the other 99% that don't need it and that would be very surprised if something like the PHP example happened. I don't think we'll find common ground here ;) |
|
I thought about this a bit more (so thank you for your well-written input!). You do have I point with impersonation, although I feel that most use cases described do not warrant an impersonation functionality because they can be solved in different and much more secure / bespoke ways. Our vision for Kratos is to do things right and give devs the freedom to adapt to their use cases - not build a full-stack cover-all monster that ends up unusable in the end. I think impersonation can be solved with the OAuth2 Device Authorization Grant (https://tools.ietf.org/html/rfc8628). The problem is that the party that wants the access token is on a different device than the person that's authenticating and giving consent - which is exactly the case when we talk about support or remote help. The support desk would send the customer a link - the customer would complete the challenge and relay the code back to the support desk - the flow is completed and support has access with the requested scope and can act on behalf of the customer. I think it's very important to differentiate between acting on behalf of someone and merging, account switching, anonymous users. These are all very different domains and mingling them together will end up - in my opinion - in a huge, insecure mess. When I talk about impersonation, what I mean is acting on behalf of someone else. I think that all the other use cases (except for google ads) do not cover that, which is why I'm reluctant to consider them valid use cases for this particular terminology. |
So how it is planned for Ory to solve the problem when same user logs through two different methods and create two different accounts which then in app create content associated with those two different accounts and the user then wants to meld/merge those accounts together. What will Ory then do?
Not really. If the case of old Twitter, I have to be able to present myself to the Twitter app once as account A and once as account B, while I would be logged into Ory only once. So maybe I was unclear here. Linking is where I would use Twitter's account A and Twitter's account B to both allow me to login into the same Ory identity. That is linking. Linking multiple social account to the same Ory identity. I am not talking about this. I am talking about apps which use Ory as identity provider. In that case same Ory identity might once want to be seen to the app as account A, but at some other time as account B.
Yes, I think you are doing a great job here, BTW. I am really impressed with the quality of both software and documentation.
I agree with this as well. This is also my plan with my own project for identity infrastructure service, Charon. I limited set of features which I believe are needed to describe a particular vision of security. I am trying to do there things a bit differently than how they are done traditionally, one of them is heavy use of impersonation primitive to implement few common scenarios. But this is also an experiment, to see how it will work out. On other hand I think Ory is trying to be much more traditional and stable approach here, which is great as well. Most people do not want an experimental approach which maybe turns out to be a total failure. But before I start working on that I am exploring others, and Ory looks really great. So I thought of seeing how would you feel about adding such feature.
A completely valid point. I will then experiment with this inside my own project and let's see where I get. :-) I on the other side see that if you have a well thought and implemented security primitive, it is good to use it for multiple user-facing features because you have then less code paths you have to make sure they work well. |
|
So since then I realized that there is a standard claim to do exactly this, in a way I would like, So if impersonation is happening, subject/issuer stays the same, but actor can be set to the user who is doing the impersonation. This is different from what you wrote above, that you would prefer if the subject would be who is doing the impersonation, and then additional field which app which supports it should check to see in which name it should act. I do not like your proposal, but I do like So, a question could be: does Kratos plan to support impersonation and |
|
|
It's interesting that there could be a chain of actors, so principal A impersonating B impersonating C, although I doubt the usefulness of such a feature in real world scenarios. It would be interesting to see the decision/reasoning process behind the proposal but I assume that this path was taken to keep backwards compatibility with the original OAuth2 spec. I am still hesitant to give that an ok from my side but I do get the argument! I'd also be open to reopen this issue and discuss it further with the community! |
|
When I made the comment I have not yet read the whole spec.
So I think it is interesting to read the introduction to this spec. They define "delegation" and "impersonation":
So it seems what I envision as impersonation they name "delegation". Their "impersonation" is similar, but without information about delegation. Which is what I thought standard OAuth delegation is about. So to me their terminology is switched around. But OK. |
|
@aeneasr We have a flow where we register users via the identity API and have registrations turned off for self service (we're using custom UI). How can we login after registration in this case? I have a POC that orchestrates browser login via the api and manually returns set-cookie from the browser login flow inside our API but this feels hacky. Is there a way to generate a cookie for a user so we can cookie them on hitting our registration endpoint to prevent them from having to log in immediately after registration? |
Is your feature request related to a problem? Please describe.
in our system we would like to allow admins to impersonate regular users. The rest of the stack should see the same token as the regular user, only that the admin would authenticate as the user. This would be used to help with user support.
Describe the solution you'd like
Another endpoint to authenticate the admin user as the request user. It would otherwise return same OpenID Connect responses, only that it would not require the user to be authenticated, but the admin.
Ideally, the token provided to the app would have additional fields documenting who is impersonating the user.
Moreover, this action should be logged/auditable.
Describe alternatives you've considered
Alternative is for the user to share username and password with the admin, but this is not really nice.
The text was updated successfully, but these errors were encountered: