Add impersonate User feature

apps/console/src/init/app-utils.ts

@@ -75,6 +75,8 @@ export const AppUtils: any = (function() {
     const TENANT_PREFIX_IDP_URL_PLACEHOLDER: string = "${tenantPrefix}";
     const USER_TENANT_DOMAIN_IDP_URL_PLACEHOLDER: string = "${userTenantDomain}";
     const SUPER_TENANT_DOMAIN_IDP_URL_PLACEHOLDER: string = "${superTenantDomain}";
+    const MYACCOUNT_CONSUMER_KEY: string = "MY_ACCOUNT";
+    const IMPERSONATOR_ROLE_NAME: string = "impersonator";
 
     return {
         /**
@@ -223,7 +225,9 @@ export const AppUtils: any = (function() {
             return {
                 __experimental__platformIdP: _config.__experimental__platformIdP,
                 accountApp: {
+                    clientID: MYACCOUNT_CONSUMER_KEY,
                     commonPostLogoutUrl : commonPostLogoutUrl,
+                    impersonationRoleName: IMPERSONATOR_ROLE_NAME,
                     path: skipTenant ?
                         _config.accountAppOrigin + _config.accountApp.path:
                         _config.accountAppOrigin + this.getTenantPath(true) + _config.accountApp.path,

apps/console/src/public/resources/users/init-impersonate.html

@@ -0,0 +1,62 @@
+<!--
+  ~ Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+  ~
+  ~ WSO2 LLC. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+-->
+
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    </head>
+    <body onload="authenticate()">
+        <script>
+            var hash = window.location.hash;
+            function authenticate() {
+                if (!hash) {
+                    if (window.location.href.includes("oauth2_error.do")) {
+                        if (sessionStorage.getItem("impersonation_artifacts") === null) {
+                            sessionStorage.setItem("impersonation_artifacts", "oauth2_error");
+                        }
+                        window.parent.postMessage("impersonation-authorize-request-complete", "*");
+                    } else {
+                        const params = new URLSearchParams(window.location.search);
+                        const userId = params.get("userId");
+                        const code_challenge = params.get("codeChallenge");
+                        const client_id = params.get("clientId");
+                        const authorization_endpoint = sessionStorage.getItem("authorization_endpoint");
+                        window.location.href = authorization_endpoint
+                            + "?client_id=" + client_id +
+                            "&redirect_uri=" + window.location.origin + window.location.pathname +
+                            "&state=sample_state&scope=internal_user_impersonate&response_type=id_token%20subject_token" +
+                            "&requested_subject=" + userId +
+                            "&nonce=" + getNonce() + "&code_challenge=" + code_challenge + "&code_challenge_method=S256";
+                    }
+                } else {
+                    if (sessionStorage.getItem("impersonation_artifacts") === null) {
+                        sessionStorage.setItem("impersonation_artifacts", hash);
+                    }
+                    window.parent.postMessage("impersonation-authorize-request-complete", "*");
+                }
+            }
+
+            function getNonce() {
+                return Math.floor(Math.random() * (10000000 - 1000000 + 1)) + 1000000;
+            }
+
+        </script>
+    </body>
+</html>

apps/myaccount/src/layouts/dashboard.tsx

@@ -96,6 +96,7 @@ export const DashboardLayout: FunctionComponent<PropsWithChildren<DashboardLayou
     const [ announcement, setAnnouncement ] = useState<AnnouncementBannerInterface>();
     const [ showAnnouncement, setShowAnnouncement ] = useState<boolean>(true);
     const [ dashboardLayoutRoutes, setDashboardLayoutRoutes ] = useState<RouteInterface[]>(getDashboardLayoutRoutes());
+    const allowedScopes: string = useSelector((state: AppState) => state?.authenticationInformation?.scope);
 
     useEffect(() => {
         const localeCookie: string = CookieStorageUtils.getItem("ui_lang");
@@ -161,15 +162,24 @@ export const DashboardLayout: FunctionComponent<PropsWithChildren<DashboardLayou
         }
 
         const routes: RouteInterface[] = getDashboardLayoutRoutes().filter((route: RouteInterface) => {
-            if (route.path === AppConstants.getPaths().get("APPLICATIONS") && !isApplicationsPageVisible) {
-                return false;
+
+            if (allowedScopes.includes("internal_user_impersonate")) {
+                if (route.path === "/") {
+                    route.redirectTo = AppConstants.getPaths().get("APPLICATIONS");
+                } else if (route.path != AppConstants.getPaths().get("APPLICATIONS")) {
+                    return false;
+                }
+            } else {
+                if (route.path === AppConstants.getPaths().get("APPLICATIONS") && !isApplicationsPageVisible) {
+                    return false;
+                }
             }
 
             return route;
         });
 
         setDashboardLayoutRoutes(filterRoutes(routes, config.ui?.features));
-    }, [ AppConstants.getTenantQualifiedAppBasename(), config, isApplicationsPageVisible ]);
+    }, [ AppConstants.getTenantQualifiedAppBasename(), config, isApplicationsPageVisible, allowedScopes ]);
 
     /**
      * On location change, update the selected route.

features/admin.applications.v1/constants/application-management.ts

@@ -184,6 +184,9 @@ export class ApplicationManagementConstants {
     public static readonly UMA_TICKET: string = "urn:ietf:params:oauth:grant-type:uma-ticket";
     public static readonly DEVICE_GRANT: string = "urn:ietf:params:oauth:grant-type:device_code";
     public static readonly OAUTH2_TOKEN_EXCHANGE: string = "urn:ietf:params:oauth:grant-type:token-exchange";
+    public static readonly TOKEN_TYPE_ACCESS_TOKEN: string = "urn:ietf:params:oauth:token-type:access_token";
+    public static readonly TOKEN_TYPE_JWT_TOKEN: string = "urn:ietf:params:oauth:token-type:jwt";
+    public static readonly TOKEN_TYPE_ID_TOKEN: string = "urn:ietf:params:oauth:token-type:id_token";
     public static readonly ACCOUNT_SWITCH_GRANT: string = "account_switch";
     public static readonly CODE_TOKEN: string = "code token";
     public static readonly CODE_IDTOKEN: string = "code id_token";

features/admin.roles.v2/components/edit-role/edit-role-basic.tsx

@@ -17,13 +17,14 @@
  */
 import { AppConstants } from "@wso2is/admin.core.v1/constants/app-constants";
 import { history } from "@wso2is/admin.core.v1/helpers/history";
+import { AppState } from "@wso2is/admin.core.v1/store";
 import { AlertInterface, AlertLevels, IdentifiableComponentInterface } from "@wso2is/core/models";
 import { addAlert } from "@wso2is/core/store";
 import { Field, Form } from "@wso2is/form";
 import { ConfirmationModal, DangerZone, DangerZoneGroup, EmphasizedSegment } from "@wso2is/react-components";
 import React, { FunctionComponent, ReactElement, useState } from "react";
 import { useTranslation } from "react-i18next";
-import { useDispatch } from "react-redux";
+import { useDispatch, useSelector } from "react-redux";
 import { Dispatch } from "redux";
 import { Divider } from "semantic-ui-react";
 import { deleteRoleById, updateRoleDetails } from "../../api";
@@ -75,6 +76,8 @@ export const BasicRoleDetails: FunctionComponent<BasicRoleProps> = (props: Basic
         error: rolesListError,
         isValidating: isRolesListValidating
     } = useGetRolesList(undefined, undefined, roleNameSearchQuery, "users,groups,permissions,associatedApplications");
+    const accountAppImpersonateRoleName: string = useSelector(
+        (state: AppState) => state.config.deployment.accountApp.impersonationRoleName);
 
     /**
      * Dispatches the alert object to the redux store.
@@ -238,6 +241,7 @@ export const BasicRoleDetails: FunctionComponent<BasicRoleProps> = (props: Basic
                                 t("roles:edit.basics.dangerZone.subheader",
                                     { type: "role" })
                             }
+                            isButtonDisabled={ isSubmitting || role?.displayName === accountAppImpersonateRoleName }
                             onActionClick={ () => onRoleDeleteClicked() }
                             data-componentid={ `${ componentid }-role-danger-zone` }
                         />

features/admin.roles.v2/components/edit-role/edit-role.tsx

@@ -106,6 +106,8 @@ export const EditRole: FunctionComponent<EditRoleProps> = (props: EditRoleProps)
 
     const [ isAdminRole, setIsAdminRole ] = useState<boolean>(false);
     const [ isEveryoneRole, setIsEveryoneRole ] = useState<boolean>(false);
+    const accountAppImpersonateRoleName: string = useSelector(
+        (state: AppState) => state.config.deployment.accountApp.impersonationRoleName);
 
     /**
      * Set the if the role is `Internal/admin`.
@@ -127,7 +129,8 @@ export const EditRole: FunctionComponent<EditRoleProps> = (props: EditRoleProps)
                 render: () => (
                     <ResourceTab.Pane controlledSegmentation attached={ false }>
                         <BasicRoleDetails
-                            isReadOnly={ isAdminRole || isEveryoneRole || isReadOnly || isSharedRole }
+                            isReadOnly={ isAdminRole || isEveryoneRole || isReadOnly || isSharedRole
+                                || roleObject?.displayName === accountAppImpersonateRoleName }
                             role={ roleObject }
                             onRoleUpdate={ onRoleUpdate }
                             tabIndex={ 0 }
@@ -140,7 +143,8 @@ export const EditRole: FunctionComponent<EditRoleProps> = (props: EditRoleProps)
                 render: () => (
                     <ResourceTab.Pane controlledSegmentation attached={ false }>
                         <UpdatedRolePermissionDetails
-                            isReadOnly={ isAdminRole || isReadOnly || isSharedRole }
+                            isReadOnly={ isAdminRole || isReadOnly || isSharedRole
+                                || roleObject?.displayName === accountAppImpersonateRoleName }
                             role={ roleObject }
                             onRoleUpdate={ onRoleUpdate }
                             tabIndex={ 1 }

features/admin.roles.v2/components/role-list.tsx

@@ -318,7 +318,9 @@ export const RoleList: React.FunctionComponent<RoleListProps> = (props: RoleList
                         RoleConstants.FEATURE_DICTIONARY.get("ROLE_DELETE"))
                     || !hasRequiredScopes(userRolesFeatureConfig,
                         userRolesFeatureConfig?.scopes?.delete, allowedScopes)
-                    || isSharedRole;
+                    || isSharedRole
+                    || role?.displayName === t("user:editUser." +
+                        "userActionZoneGroup.impersonateUserZone.actionTitle");
                 },
                 icon: (): SemanticICONS => "trash alternate",
                 onClick: (e: SyntheticEvent, role: RolesInterface): void => {