Confluence rest api calls on behalf of another user

Hello,

As an admin is it possible to call rest apis as another user in confluence??

Thanks
Syed

Hello @SyedHussain

Well, I suppose if you know their username and their password, there’s technically nothing to stop you impersonating them in a basic authentication session.

Well, I can provide you two ways:

  1. As the previous answer, you can do it if you know the username and password of that user then you can use the basic authentication for your REST API call.
  2. Because you are in the developer community, so the other solution is writing a new plugin and expose a REST API from your plugin. This way, you don’t need to know the user’s password, and you can impersonate anyone with your Java code.

Hi @SyedHussain

I will add one point to @nhac.tat.nguyen answer

  1. You can use a plugin from Atlassian Marketplace:

Cheers
Adam

1 Like

@nhac.tat.nguyen Thank you

I was looking for something similar to option 2.I can expose an API from a plugin only for admins.I won’t know the user’s password But i will have username.Could you explain more on how to get the session for the user so that i can make other api calls as impersonating user.

the idea is to make rest calls to search APIs so that the restrictions are respected for the each user who is making search to confluence.

the idea is to make rest calls to search APIs so that the restrictions are respected for the each user who is making search to confluence.

Can you please explain more about this use case, so I can give you a better answer? When do they need to search in confluence? What operation triggers this search?

@SyedHussain

I think you’ll find you can’t do that sort of ‘impersonation’ you are inferring, as it would breach the basic security principles. To do anything via any of the APIs or the GUI, you need to authenticate as a person with that person’s credentials. You cannot do any sort of ‘intercept’ of that person’s credentials to pretend to be them without their knowledge or consent.

Unless a person implicitly consents and provides their credentials to you or your app, either by providing their password / API token / OAuth token to you or your app, you simply cannot ‘impersonate’ them in the manner you are inferring.

Use Case:
We have corporate application on which we want to enable confluence search.We wanted to utilise search APIs.Since both application use custom openid authentication.We have user details who has logged into corporate application.So when user wants to search we want to respect the permissions to filter search results.Is it possible to add a new filter to the search to use username? instead of impersonating session?

I understand the use case.
You need to write a Confluence plugin for this.

It is NOT impersonate then call REST APIs, but it is Impersonate then use Confluence Java API to perform a search on behalf of the user and return it back to the caller.

In your plugin, you will expose your own REST API. Your REST resource will set the current Authentication Context as the target user, then call the internal Java API and return exactly what confluence return.

As far as I know, this is the only way to archive what you want.

Note: You can also use Scriptrunner to create a new REST endpoint, instead of a new plugin.

1 Like

cool let me give it a try Thanks @nhac.tat.nguyen

1 Like