Impersonate / Switch User

[maximecolin]

Hi,

I'm trying to perform impersonation / switch user over JWT with LexikJWTAuthenticationBundle and it's not clear if the bundle supports it natively or not.

The official bundle documentation on Symfony website seems to indicate the bundle supports it, but there is no explanation about how to process except a link to the Symfony switch user documentation.

I found several issues about this, sometimes very old and outdated, but none comes with an actual working solution neither with a clear statement about switch user support of LexikJWTAuthenticationBundle.

My use case is quite the same as session/cookie based authentication. I'm authenticated as admin (I have a valid JWT) and I want to use it to get another JWT that authenticate me as the impersonated user and allowing me to get the previous user from the security token. Is that possible ? Or do I have to code my own stuff to handle that ? Does JWT can even do that ?

Thanks, any clues will be greatly appreciated.

[twisted1919]

I was not able to make the impersonation work either, even if I followed the documentation to the letter.
It seems that impersonation will not work if you opt-in to store/load the JWTs into/from cookies.

[chalasr]

Hi guys,

Apologies for the super late reply, my OSS bandwidth has been very limited lately.
What I can say is that given the docs mention it, it is at least indeed supposed to work seamlessly. My guess would be it works as follows:

• Get a JWT (typically hitting the login_check path)
• Use the switch_user feature on subsequents requests authenticated through the previously obtained JWT.

I cannot give a guarantee for this to work as I didn't look at it yet, nor I can provide a timeframe into which this would be fixed and properly documented yet. What I can tell is that this would be a worthwhile bugfix and I'll look into it as soon as I can, so please don't close. Any help investigating or fixing it is more than welcome.

Cheers!

[flohw]

Hi,

I use the switch user feature everyday and works perfectly fine even with cookies (I use cookies to store my JWT)

First, authenticate the main user as usual.
Then pass the _switch_user user identifier as query param in subsequent requests you want to impersonate with the original JWT.
To impersonate, I first call an endpoint with the _switch_user param to get the impersonate user profile. I store the current profile in localStorage (let's call it originalUser) and replace the current profile with the new profile I just got. Then I can interact as the impersonated users only by providing the _switch_user param and the original JWT I get on first login.

The key thing is that with javascript you have to manage the session and cookies yourself. While with a standard Symfony application, the framework does the job for you (in a different way).

Maybe the doc needs to be clarified to remember that this things must be managed on client side.

Hope this helps.

[twisted1919]

There is a problem for sure with the way the bundle logs the user in if the cookie extractor is enabled, somehow, it overrides the entire session. If I remove the cookie that contains the token, and I try to switch to another user, it works just fine.

For now I had to write a custom controller to do impersonation for my use case, but from what I have seen so far, this feature does not work properly currently.