Improve impersonation: allow changing "app owner" token

Question

Improve impersonation: allow changing "app owner" token

Closed this issue 6 years ago · 0 comments

We currently have build impersonation. This allows easily switching account, but bypasses account security. Specifically two factor authentication is bypassed by impersonation.

Easiest way to resolve this is simply allowing a user to change its active "context" or "token": the current "AppOwner" group. This would be a safe alternative to actually logging into another account.

Database changes to support this: Allowed AppOwner groups should be kept in a n:m relationship
Current app owner should still be stored in database; on changing app token new login cookie with new token should be generated
Add page for this
Migrate existing impersonations to "app owner" token change
Ensure SignalR / online detection still works properly