How do I use ASP.NET Identity 2.0 to allow a user to impersonate another user?

by

I’ve found a solution to this problem.

Basically I add claim with admin username, if this claim exists, I know that impersonation is happening. When admin wants to stop impersonation, system retrieves original username for the claims, deletes old impersonated-cookie and creates a new cookie for the admin: 

[AuthenticateAdmin] // <- make sure this endpoint is only available to admins
public async Task ImpersonateUserAsync(string userName)
{
    var context = HttpContext.Current;

    var originalUsername = context.User.Identity.Name;

    var impersonatedUser = await userManager.FindByNameAsync(userName);

    var impersonatedIdentity = await userManager.CreateIdentityAsync(impersonatedUser, DefaultAuthenticationTypes.ApplicationCookie);
    impersonatedIdentity.AddClaim(new Claim("UserImpersonation", "true"));
    impersonatedIdentity.AddClaim(new Claim("OriginalUsername", originalUsername));

    var authenticationManager = context.GetOwinContext().Authentication;
    authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
    authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = false }, impersonatedIdentity);
}

More information is in my blog-post: User impersonation with ASP.Net Identity 2.

User Impersonation in Asp.Net Core

Upd July 2017: this topic is quite popular, so I’ve looked into user impersonation in Core and principles are very similar with updated API. Here is how to impersonate: 

    [Authorize(Roles = "Admin")] // <-- Make sure only admins can access this 
    public async Task<IActionResult> ImpersonateUser(String userId)
    {
        var currentUserId = User.GetUserId();

        var impersonatedUser = await _userManager.FindByIdAsync(userId);

        var userPrincipal = await _signInManager.CreateUserPrincipalAsync(impersonatedUser);

        userPrincipal.Identities.First().AddClaim(new Claim("OriginalUserId", currentUserId));
        userPrincipal.Identities.First().AddClaim(new Claim("IsImpersonating", "true"));

        // sign out the current user
        await _signInManager.SignOutAsync();

        // If you use asp.net core 1.0
        await HttpContext.Authentication.SignInAsync(cookieOptions.ApplicationCookieAuthenticationScheme, userPrincipal);
        // If you use asp.net core 2.0 (the line above is deprecated)
        await HttpContext.SignInAsync(cookieOptions.ApplicationCookieAuthenticationScheme, userPrincipal);

        return RedirectToAction("Index", "Home");
    }

This is how to stop impersonation:

    [Authorize(Roles = "Admin")] // <-- Make sure only admins can access this 
    public async Task<IActionResult> StopImpersonation()
    {
        if (!User.IsImpersonating())
        {
            throw new Exception("You are not impersonating now. Can't stop impersonation");
        }

        var originalUserId = User.FindFirst("OriginalUserId").Value;

        var originalUser = await _userManager.FindByIdAsync(originalUserId);

        await _signInManager.SignOutAsync();

        await _signInManager.SignInAsync(originalUser, isPersistent: true);

        return RedirectToAction("Index", "Home");
    }

Full explanation in my blog: http://tech.trailmax.info/2017/07/user-impersonation-in-asp-net-core/
Full code sample on GitHub: https://github.com/trailmax/AspNetCoreImpersonation

More Related Contents:

  1. How to get current user, and how to use User class in MVC5?
  2. The entity type ‘Microsoft.AspNet.Identity.EntityFramework.IdentityUserLogin’ requires a key to be defined
  3. How to implement custom authentication in ASP.NET MVC 5
  4. How to extend IdentityUser with custom property
  5. Why is Asp.Net Identity IdentityDbContext a Black-Box?
  6. ASP.NET Identity – Multiple object sets per type are not supported
  7. Register IAuthenticationManager with Simple Injector
  8. Get UserID of logged-in user in Asp.Net MVC 5
  9. ASP.net Identity 2.0 Sign-out another user
  10. Smtp authentification required [duplicate]
  11. c# asp.net delete last comma [closed]
  12. Pass List of Checkboxes into View and Pull out IEnumerable [duplicate]
  13. Setting the default JSON serializer in ASP.NET MVC
  14. RedirectToAction with parameter
  15. Sharing sessions across applications using the ASP.NET Session State Service
  16. Get controller and action name from within controller?
  17. Build error: You must add a reference to System.Runtime
  18. How do I dispose my filestream when implementing a file download in ASP.NET?
  19. Azure ASP .net WebApp The request timed out
  20. ASP.NET MVC Authorization
  21. pass two models to view [duplicate]
  22. Concatenate and minify JavaScript on the fly OR at build time – ASP.NET MVC
  23. ASP.NET MVC 4 + Ninject MVC 3 = No parameterless constructor defined for this object
  24. TempData null in asp.net core
  25. onchange event for html.dropdownlist
  26. How to allow an anonymous user access to some given page in MVC?
  27. The field must be a date – DatePicker validation fails in Chrome – mvc
  28. Specify Date format in MVC5 (dd/MM/yyyy)
  29. What is the difference between DependencyResolver.SetResolver and HttpConfiguration.DependencyResolver in WebAPI
  30. LINQ to Entities does not recognize the method ‘System.String ToString()’ method in MVC 4

Leave a Comment