5

I'm using Token Based Authentication using ASP.NET Web API 2, Owin, and Identity in my application.

I need functionality to allow a user with "Admin" role to see the information as another (non-admin) user (to log in without a password, with another user's username only).

I don't know how to generate a new token in the controller and save it in session.

spender
  • 117,338
  • 33
  • 229
  • 351
Yuriy Shkraba
  • 377
  • 1
  • 2
  • 13
  • 1
    I literally just did this. This works great: http://tech.trailmax.info/2014/06/user-impersonation-with-asp-net-identity-2/ – spender Dec 01 '16 at 11:16
  • Sorry about my question, I used your example but it didn't help me because I don't understand how I can get access_token. For example, when I logged in, in response I got "access_token, token_type, etc". – Yuriy Shkraba Dec 01 '16 at 14:56
  • Apologies. I missed the "Token Based" part of the question. However, because the solution is based around claims, it should be portable to different authentication methods. I've reopened your question. – spender Dec 01 '16 at 15:00
  • Wouldn't you just be logged as that other user instead of the Admin? You should just use permissions and save the Id of the user you are viewing somewhere (session, url parameter, etc.). – Dominique Alexandre Dec 01 '16 at 16:56
  • Because I will have a bug, when user will be only created. – Yuriy Shkraba Dec 01 '16 at 17:15
  • And I can't find where is generated access_token – Yuriy Shkraba Dec 01 '16 at 17:45
  • Just want to comment that typically this creates a bit of a problem for auditing. If there is some abuse happening from a user account, you can't know if it was the user or an admin doing it as the user. Especially in enterprise applications this should never be done. – juunas Dec 05 '16 at 08:11
  • I understand but customer is always right, I must do it – Yuriy Shkraba Dec 05 '16 at 09:06

1 Answers1

3

I've found a solution to this problem. This is the example of code which returns access token

    /// <summary>
    /// Login as another user (using only a username)
    /// </summary>
    /// <returns>token key</returns>
    [Authorize(Roles = "Admin")]
    [Route("LoginAs")]
    public async Task<IHttpActionResult> GetLoginAs(string userName)
    {
        if (string.IsNullOrEmpty(userName))
            return new System.Web.Http.Results.ResponseMessageResult(
                Request.CreateErrorResponse(
                    (HttpStatusCode)422,
                    new HttpError("UserName null or empty")));
        try
        {
            var userIdentity = UserManager.FindByNameAsync(userName).Result;
            if (userIdentity != null)
            {
                var oAuthIdentity = await userIdentity.GenerateUserIdentityAsync(UserManager,
                Startup.OAuthOptions.AuthenticationType);
                var ticket = new AuthenticationTicket(oAuthIdentity, new AuthenticationProperties());
                var currentUtc = new SystemClock().UtcNow;
                ticket.Properties.IssuedUtc = currentUtc;
                ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(60));
                string accessToken = Startup.OAuthOptions.AccessTokenFormat.Protect(ticket);
                return Ok(accessToken);
            }
            return BadRequest();
        }
        catch (Exception ex)
        {
            return BadRequest();
        }
    }
Yuriy Shkraba
  • 377
  • 1
  • 2
  • 13