Impersonate Users Using the Dashboard
You may need to impersonate other users for testing or troubleshooting purposes. You can:
- Log in to an app as a specific user.
- See everything exactly as that user sees it.
- Do everything exactly as that user does it.
Auth0 provides a Sign in As feature for user impersonation, and provides the following features and information:
- Detailed auditing of who impersonated when.
- Restrictions on impersonation which allows you to reject an impersonated authentication transaction based on, for instance, corporate policies around privacy and sensitive data.
- Unlimited customization on who can impersonate who, when, depending on whatever context, using our Rules engine. In a Rule, you have access to
user.impersonated(the impersonated login) and
Impersonation does not work with Authorization API
Impersonation and Login CSRF attacks
To avoid Login CSRF attacks, the OAuth 2.0 specification recommends that applications use the state parameter to make sure that the response they receive matches the authentication request and originates from the same session.
However, applications that check for a valid state parameter will not work with Impersonation, since Impersonation works by sending authenticated responses to applications that never requested authentication. If you are building a single-page application where the authentication results are processed by Lock or Auth0.js, you can disable checking of state to allow Impersonation.
If you're using Lock, you can include the flag using the options parameter sent to the constructor.
Here's the flag itself:
Note that the enableIdPInitiatedLogin flag is preceded by one underscore when used with Lock and two underscores when used with the auth0.js library.
Impersonate users using the Dashboard
Use the Dashboard to log in to your app as a user.
Navigate to the Users page in the Auth0 Dashboard and select the user you want to log in as. Click on the Sign in as User and select the application you want to log in to using the dropdown menu.
I can't see the button
Can't see the button? The following conditions are required for the button display:
- The applications registered in the tenant must have at least one callback URL listed.
- The applications must have the connections that the impersonated user belongs to turned on.
A popup displays the URL to be used in order to impersonate the user. You can choose either to copy the URL into the clipboard (white button) or open it in a separate browser tab/window (blue button).
- Copy the URL into the clipboard (white button) or open the URL in a separate browser tab/window (blue button).
Acquiring a token
Impersonating a user using the Dashboard will not return an ID Token to your application by default. There are two ways to achieve this. You can alter the Response Type setting in the impersonation menu's Advanced Settings from
Token (Sign in as user -> Show Advanced Settings). Alternatively, you can add
additionalParameters.scope: "openid" to the request body while calling the impersonation endpoint manually.
When impersonating a user in Dashboard, after clicking Sign in as User you will see a link to expand "Advanced Settings."
This reveals fields to make it easier to Impersonate a User Using the Impersonation API:
- Response mode:
POST. This is only for server side apps, client side apps default to
- Response type:
Token. This is only for server side apps, client side apps default to
- Scope: This field will have
openidin it is as default, other scopes can be added as a list using whitespace as separator.
- State: The
stateis a required parameter and leaving it blank may lead to errors like
Impersonation - Bad mac. For more information, see State Parameter.