Oct 18, 2023
Nick Parsons
User impersonation enables support teams to assist customers without compromising privacy and security, essential for delivering great CX.
Unfortunately, no product is perfect. Once in a while, a user will have a problem with your application and need some help from the support team.
But if the problem is specific to the user–something about their data or their permissions within the product–how can customer support help? They could screenshare with the user, but that requires a lot of setup. They could just get the user to describe their problem and then walk them through the steps to fix it, but that is open to all kinds of errors. They could share their credentials with the support team, but that is a huge security risk!
The answer is to implement user impersonation in the product.
User impersonation is an admin feature that allows one user, usually an admin or the support team, to take on the identity of another user without knowing their password or other authentication credentials.
It is one of those features that gets missed in an initial roadmap but is critical to the product's long-term success. Without it, your success team flies blind when trying to help customers. Let’s explain why it’s important and how you can implement user impersonation in your application.
The core reason to use user impersonation is troubleshooting and support. If a user reports an issue specific to their account, admins or the support team can impersonate the user to experience the application exactly as the user does. This helps in identifying and resolving the issue more efficiently.
But user impersonation can go beyond just straightforward support. User impersonation can be important for:
Of course, impersonating users is fraught with risks. Impersonation can easily lead to privacy breaches if not handled carefully. Admins and support can see personal or sensitive information. Also, if not implemented securely, impersonation features can be a potential attack vector for malicious actors. Ensuring that only authorized personnel can use impersonation and that all impersonation activities are logged for auditing is essential.
Because of these concerns, any system implementing user impersonation should have stringent security controls, logging, and auditing. It's also essential to have clear policies about when and why impersonation is used.
Implementing user impersonation is tricky. Literally, you are tricking your application into thinking that you are someone else. Here are the steps to consider through as you add user impersonation to your product:
Let’s show how this would work with a basic JavaScript application. We’re going to set up two core components to this:
The backend is where we will incorporate the logic for our impersonation.
const express = require("express");const cors = require("cors");const PORT = 3000;const app = express();app.use(express.json()); // Middleware to parse JSON requestsconst users = [{ id: 1, username: "admin", password: "pass", roles: ["admin"] },// ... other users];// Use the cors middleware and set the frontend originapp.use(cors({origin: "<http://localhost:3001>",credentials: true,methods: ["GET", "POST", "PUT", "DELETE"],allowedHeaders: ["Content-Type", "Authorization"],}));function ensureAdmin(req, res, next) {const roles = req.body.roles;if (roles && roles.includes("admin")) {return next();} else {return res.status(403).json({ message: "Access forbidden." });}}app.post("/impersonate/:userId", ensureAdmin, (req, res) => {console.log(req);const userIdToImpersonate = req.params.userId;const user = users.find((u) => u.id == userIdToImpersonate);if (!user) {return res.status(404).json({ message: "User not found." });}res.json({ message: "Impersonation started." });});app.post("/stop-impersonation", ensureAdmin, (req, res) => {res.json({ message: "Impersonation stopped." });});app.listen(PORT, () => {console.log(`Server is running on port ${PORT}`);});
We start by importing the two modules needed:
We then set up the Express server. We want to use the built-in express.json()
middleware, enabling the server to parse incoming JSON payloads in requests.
After that, we set up a user array. This array simulates a database of users. Here, you would call your database to check users and roles. We then have to set up some CORS middleware. Without this, our server wouldn’t want to receive requests from our separate frontend.
ensureAdmin is the integral function of the server. This middleware checks if the user role includes "admin." If so, it allows the request to proceed. Otherwise, it sends back a forbidden status. This ensures the user is an admin before allowing them to impersonate another user.
We then have our two API Endpoints:
/impersonate/:userId
: An admin can attempt to impersonate another user by providing their ID./stop-impersonation
: An admin can stop the impersonation.Finally, we start our server. Save this as app.js
and you can run it with
node app.js
With that up and running, we can set up the frontend.
The frontend will mimic the version of the application that an admin would see. When an admin chooses to impersonate, it makes a request to the /impersonate/:userId
endpoint. It then updates the UI based on the response to show that impersonation is active. To stop impersonation, it makes a request to /stop-impersonation
.
import React, { useState } from "react";import "./App.css";function App() {const [isImpersonating, setIsImpersonating] = useState(false);const [message, setMessage] = useState("");const handleImpersonate = async (userId) => {try {const response = await fetch(`/impersonate/${userId}`,{method: "POST",headers: {"Content-Type": "application/json",},body: JSON.stringify({ roles: ["admin"] }),});if (!response.ok) {throw new Error(`HTTP error! Status: ${response.status}`);}const data = await response.json();setIsImpersonating(true);setMessage(data.message);} catch (err) {console.error("Impersonation failed:", err);setMessage("Impersonation failed. Check console for details.");}};const handleStopImpersonating = async () => {try {const response = await fetch("/stop-impersonation>", {method: "POST",headers: {"Content-Type": "application/json",},body: JSON.stringify({ roles: ["admin"] }),});if (!response.ok) {throw new Error(`HTTP error! Status: ${response.status}`);}const data = await response.json();setIsImpersonating(false);setMessage(data.message);} catch (err) {console.error("Failed to stop impersonation:", err);setMessage("Failed to stop impersonation. Check console for details.");}};return (<div className="App">{isImpersonating ? (<div className="impersonation-banner">You are impersonating another user!</div>) : null}<button onClick={() => handleImpersonate(1)}>Impersonate User with ID 1 (admin)</button>{isImpersonating ? (<button onClick={handleStopImpersonating}>Stop Impersonating</button>) : null}<p>{message}</p></div>);}export default App;
After importing React and our CSS, the core App function starts by declaring two state variables:
isImpersonating
: A boolean state that tracks whether the admin is currently impersonating another user.message
: A string state to store and display messages from server responses or errors.We then have our impersonation functions. handleImpersonate
is an async function to impersonate a user by sending a POST request to /impersonate/:userId
. If successful, it sets the state isImpersonating
to true
and displays a message from the server.
handleStopImpersonating
is also an async function, this time to stop impersonation by sending a POST request to /stop-impersonation
. If successful, it sets the state isImpersonating
to false and displays a message from the server.
We then render our component. A button allows the admin to impersonate a user with ID 1 , and then a banner is displayed when the admin is impersonating another user. If the admin is impersonating, another button appears to stop the impersonation.
So when an admin logs in initially, they see this:
Once they press the button, they start the impersonation:
Then, they can stop the impersonation again:
What are the problems with the solution above? They are myriad.
First, we don’t have any authentication. This not only means the whole system is insecure, but it also means the impersonation is insecure. We’re just sending a plain text ‘admin’ message to the backend to tell them we can impersonate a user. The correct way to do this is using JWT. The token would contain the role information and be authenticated by the backend.
We also don’t have the logic incorporated to actually do anything with the impersonation. Neither do we have all the security checks in place to securely audit and log any impersonation.
We’re missing all this because impersonation is difficult to get right. You are coding an entirely different way to access your application, and you have to do it perfectly to avoid any security or privacy issues.
This is where using a platform like Clerk becomes essential. User impersonation is incorporated directly into Clerk. All you have to do is call our backend API with your user ID (user_id
) and the user ID of the user to impersonate (sub
):
const url = "https://api.clerk.com/v1/actor_tokens";const data = {user_id: "user_1o4qfak5AdI2qlXSXENGL05iei6",expires_in_seconds: 600,actor: {sub: "user_21Ufcy98STcA11s3QckIwtwHIES",}};async function postData() {try {const response = await fetch(url, {method: "POST",headers: {"Content-Type": "application/json",},body: JSON.stringify(data),});if (!response.ok) {throw new Error(`HTTP error! Status: ${response.status}`);}const responseData = await response.json();console.log(responseData);} catch (error) {console.log('There was a problem with the fetch operation:', error.message);}}// Invoke the function to execute the fetch operationpostData();
This returns a token you can then use to impersonate the user for 10 minutes:
{"sub": "user_1o4qfak5AdI2qlXSXENGL05iei6","act": {"sub": "user_21Ufcy98STcA11s3QckIwtwHIES"}}
You can then use this with the Clerk SDK for impersonation:
import express from "express";import { ClerkExpressWithAuth } from "@clerk/clerk-sdk-node";const app = express();// Apply the Clerk express middlewareapp.get("/protected-endpoint",ClerkExpressWithAuth({// ...options}),(req, res) => {// The request object is augmented with the// Clerk authentication context.const { userId, actor } = req.auth;res.json({ userId, actor });});app.listen(3000, () => {console.log("Booted.")});
There is an even easier way to use Clerk to impersonate a user–through your dashboard. Go to Users in your dashboard:
Then click to open the menu for the user you want to impersonate and choose "Impersonate user":
Then, your support team is ready to impersonate a user straight away.
Adding user impersonation is a must for a well-functioning support team. It gives them to the tools they need to help your customers with their support needs without sacrificing privacy and security.
Getting it right in your application is a big challenge. Using an authentication solution such as Clerk with user impersonation built-in means you can easily have this embedded in your app, and you don’t have to worry about incorporating errors that lead to security issues. Check out the Clerk user impersonation docs to learn more about setting this up quickly with Clerk.
Start completely free for up to 5,000 monthly active users and up to 10 monthly active orgs. No credit card required.
Learn more about our transparent per-user costs to estimate how much your company could save by implementing Clerk.
The latest news and updates from Clerk, sent to your inbox.