User impersonation allows a client application to perform actions with a back-end service using the identity of a user to get data from another back-end store, such as a resource server. The client application performs actions on behalf of the user to authenticate and authorize application specific actions, such as to retrieve or modify data.
The client application authenticates with the authentication server using the client id and client secret to obtain an OAuth token which it uses to impersonate the user to make any second service calls done through requests by the OData endpoint to the back-end service. The user client id must be present in the OAuth token so that the request can be authenticated.
You specify which user to impersonate using the header key X-Ingr-OnBehalfOf in the OAuth token and set the value to the LoginName property for the user that needs to be impersonated. For example, X-Ingr-OnBehalfOf: adminUser.
-
When you use user impersonation, all the roles available to the user are selected.
-
User impersonation can only be performed using an OAuth token obtained from the client credentials authentication workflow.
-
When you use user impersonation with batch requests, the impersonation header must be on every request part. You must not use the user impersonation header on the parent request. When using batch change sets, you must use exactly the same user impersonation across a single change set.