Impersonate Users Using the Dashboard

Impersonation has been deprecated and will not be enabled for customers in the future. The functionality will continue to work for the customers that currently have it enabled. If at some point the impersonation feature is changed or removed from service, customers who currently use it will be notified beforehand and given ample time to migrate.

Often you may need to impersonate other users for testing or troubleshooting purposes. Using impersonation, you can:

  • Log in to an app as a specific user
  • See everything exactly as that user sees it
  • Do everything exactly as that user does it

Auth0 provides a Sign in As feature for user impersonation, and provides the following features and information:

  • Detailed auditing of who impersonated when
  • Restrictions on impersonation which allows you to reject an impersonated authentication transaction based on, for instance, corporate policies around privacy and sensitive data
  • Unlimited customization on who can impersonate who, when, depending on whatever context, using our Rules engine. In a Rule, you have access to user.impersonated (the impersonated login) and user.impersonator (the impersonating login) and you can write arbitrary Javascript to define how it works

Any Rules that you have implemented will run when you impersonate a user, including any actions that update the user.

Impersonation does not work with Authorization API

Impersonation does not work with the API Authorization features. This means that the audience parameter will be ignored, and the Access Token returned to applications when using this flow is only valid for requests to the /userinfo endpoint.

Login CSRF attacks mitigation and Impersonation

To avoid Login CSRF attacks, the OAuth 2.0 specification recommends that applications use the state parameter to make sure that the response they receive matches the authentication request and originates from the same session.

However, applications that check for a valid state parameter will not work with Impersonation, since Impersonation works by sending authenticated responses to applications that never requested authentication. If you are building a single page application where the authentication results are processed by Lock or Auth0.js, you can disable checking of state to allow Impersonation.

Impersonation leaves your application vulnerable to CSRF attacks, since the flag allows the bypassing of the CSRF check from the state parameter if this parameter is missing from the authorization response. By using impersonation, you acknowledge that you understand and accept these risks.

If you are using Auth0.js, you have to update the webAuth.parseHash of the library and set the flag __enableIdPInitiatedLogin to true.

var data = webAuth.parseHash(
  {
    ...
    __enableIdPInitiatedLogin: true
    ...
  }

If you're using Lock, you can include the flag using the options parameter sent to the constructor.

const lock = new Auth0Lock(clientID, domain, options)

Here's the flag itself:

var options = {
    _enableIdPInitiatedLogin: true
};

Note that the enableIdPInitiatedLogin flag is preceded by one underscore when used with Lock and two underscores when used with the auth0.js library.

Impersonate users using the Dashboard

  1. Use the Dashboard to log in to your app as a user.

  2. Navigate to the Users page in the Auth0 Dashboard and select the user you want to log in as. Click on the Sign in as User and select the application you want to log in to using the dropdown menu.

Impersonate a User

I can't see the button

Can't see the button? The following conditions are required for the button display:

  • The applications registered in the tenant must have at least one callback URL listed.
  • The applications must have the connections that the impersonated user belongs to turned on.

A popup displays the URL to be used in order to impersonate the user. You can choose either to copy the URL into the clipboard (white button) or open it in a separate browser tab/window (blue button).

  1. You can copy the URL into the clipboard (white button) or open the URL in a separate browser tab/window (blue button).

Impersonate a User

Acquiring a token

Impersonating a user using the Dashboard will not return an ID Token to your application by default. There are two ways to achieve this. You can alter the Response Type setting in the impersonation menu's Advanced Settings from Code to Token (Sign in as user -> Show Advanced Settings). Alternatively, you can add additionalParameters.scope: "openid" to the request body while calling the impersonation endpoint manually.

Advanced settings

When impersonating a user in Dashboard, after clicking Sign in as User you will see a link to expand "Advanced Settings."

Advanced Settings

This reveals fields to make it easier to Impersonate a User Using the Impersonation API:

  • Response mode: GET or POST. This is only for server side apps, client side apps default to GET.
  • Response type: Code or Token. This is only for server side apps, client side apps default to Token.
  • Scope: This field will have openid in it is as default, other scopes can be added as a list using whitespace as separator.
  • State: The state is a required parameter and leaving it blank may lead to errors like Impersonation - Bad mac. Learn more about using the state parameter here.

Keep reading