Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Post History

75%
+4 −0
Q&A Implementing impersonation in an ASP.NET Core Web application

I am working at a proof-of-concept for porting an ASP.NET MVC application to an ASP.NET Core API + Angular SPA. One of the features of the existing application is the ability of an admin (typically...

0 answers  ·  posted 3y ago by Alexei‭

#1: Initial revision by user avatar Alexei‭ · 2020-10-11T17:15:55Z (over 3 years ago)
Implementing impersonation in an ASP.NET Core Web application
I am working at a proof-of-concept for porting an ASP.NET MVC application to an ASP.NET Core API + Angular SPA. One of the features of the existing application is the ability of an admin (typically tech support) to impersonate any other user.

This is done through ASP.NET impersonation, but one side effect is that all actions/audit data generated by the impersonator is linked to the impersonated user which is NOT OK in my opinion (from an audit point of view, actions should be linked to the actual person performing them).

Until ASP.NET 5, ASP.NET Core [does not support impersonation directly](https://stackoverflow.com/questions/60566870/impersonate-user-in-asp-net-core-web-api), but [there seems to be a way to code it](https://www.thereformedprogrammer.net/adding-user-impersonation-to-an-asp-net-core-web-application/).

I am wondering about an alternative approach that would be easier to understand and also make it work for the legacy project + new one (migration can be done over a long period).

**Instead of acting as another user entirely, I implement impersonation by**: 

- pushing current user rights into some backup tables
- I transfer the impersonated user rights to the impersonator

This leads to the same effect, but with a framework-agnostic approach. Auditable actions are correctly generated and the legacy application can read the impersonation state from the database (instead of trying to set up some kind of session transfer between the two applications).

Since I could not find any article related to such an implementation, I am wondering what are the downsides of such an approach.