I need te be able to impersonate a User at the app/client level.
The use case is as follow:
- User decides to publically share a dashboard (contains very frequently refreshed data, custom organisation, ...)
- User sends a link to someone else (that other person might not be a user of my app). The link contains the Id of the dashboard and some token to prevent people to just try things out.
- When the receiver browse to thte link we validate that the dashboard exist and that public sharing has been activated as well as the token.
- Then, based on the dashboard configuration, we need to call our API (with a Bearer token) in order to fetch the most recent data for the dashboard.
I would like to have the client app to be able to impersonnate the "owner" of the dashboard in order to be able to call the API on it's name to get the data.
I read other issues/tickets but they all mention a user impersonating another user but I could not find any evidence that it was actually possible to do what I'm looking for.
Could you drive me in the correct direction?
EDIT: I guess it's not useful to say that I don't want the receiver of the dashboard link to see any login screen, that should be completely transparent to him
We found a way to achieve what we need.
Based on this post and the sample that is referenced there, we used a CustomGrant validator.