Topics on this page

Impersonate a user

As an administrator, you may want to impersonate another user when making API calls so you can replicate and verify user-reported issues. This guide walks you through using our APIs to retrieve a user’s token. You can then use the token to make API calls as the impersonated user.

Our user impersonation functionality makes use of the Custom Authentication Flow provided by AWS Cognito.

Key concepts

  • Authentication: Authentication validates a user’s identity.
  • Cognito: Amazon Cognito service provides APIs and infrastructure for key features in the user management space, including authentication, authorization, and user repository management.
  • SAML providers: Many enterprises operate internal user directories or authentication services. These services communicate via Security Assertion Markup Language (SAML). SAML is an open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider. SAML support allows us to operate seamlessly with existing enterprise user directories, such as Microsoft Active Directory Service.
  • Single sign-on (SSO): SSO is the practice of passing authentication along to a remote system, bypassing the need to log in to remote systems independently. In addition to passing tokens internally to BriteCore services, it can also pass them externally.
  • Tokens: The access token is passed to each individual service in BriteCore, ensuring the user’s identity is valid. If the token is revoked or tampered with, it will fail validation, logging the user out of all distributed services simultaneously.
  • User groups: User groups allow users to belong to a common classification. User groups can be used to trigger rules, manage access, or define associations. User groups are only accessible by administrators within BriteAuth.
  • User pools: User pools are collections of users.
    • Internal: BriteAuth creates and manages an independent user pool for each BriteCore client along with a centralized user pool for BriteCore team members, allowing employees to manage a single profile across all client sites.
    • Federated Identities: Federated Identities link remote user identities to the internal BriteAuth identity.
    • Social Identity Providers: Authentication within several large social media services such as Facebook, Google, and Amazon are widely trusted across the internet. BriteAuth supports identities validated through these trusted authorities. This association allows us to support the Log In with Facebook or Log In with Google options in BriteCore.
  • User profile: Each user in the system has user identity with an associated profile containing details about the user. User profiles include fields such as username, password, timezone, legal name, etc.

Impersonate a user using APIs

Step 1: Get a security token

You will need to request an ID and Secret to use OAuth 2.0.

For more information, refer to How do I get started?

Step 2: Get user credentials

The impersonate user endpoint will take in regular credentials from administrators or app clients and return credentials for the specified user.

Sample request

View code
curl -X POST 'https://<client url>{username}/impersonate' \
  -H 'Authorization: Bearer {yourTokenHere}' \

Sample response

View code
	"id": "username",
	"type": "access-token",
	"attributes": {
		"token": "eYJ..."

You can start using the access token that is returned in the response as your bearer token to make calls as the impersonated user.