The "User Impersonation" feature is currently incompatible with the application SDK. When an administrator attempts to impersonate a user, the system generates an authorization code and redirects to the application. However, the SDK rejects the code because the authentication flow did not originate from the application itself, triggering a security protection against Login CSRF.
Steps to Reproduce
- Navigate to the User Management or Danger Zone section of the admin dashboard.
- Select a user and click the "Impersonate user" button.
- Observe the redirect to the application URL (e.g., https://exampleapp.com/?code=...).
- Check the application console/SDK logs.
Expected Result
The SDK should accept the authorization code provided by the impersonation flow, validate the session, and allow the administrator to view the application as the target user.
Actual Result
The SDK fails to exchange the code and throws the following error:
Couldn't exchange code.
An authorization_code was supplied for a login which did not originate at the application.
Error Details:
My guess: The SDK detects that the login flow was initiated externally (from the admin panel) rather than through its own internal login initiation endpoint, leading to a suspected Login CSRF attack.
See https://github.com/workos/authkit-js/blob/main/src/create-client.ts#L256
The "User Impersonation" feature is currently incompatible with the application SDK. When an administrator attempts to impersonate a user, the system generates an authorization code and redirects to the application. However, the SDK rejects the code because the authentication flow did not originate from the application itself, triggering a security protection against Login CSRF.
Steps to Reproduce
Expected Result
The SDK should accept the authorization code provided by the impersonation flow, validate the session, and allow the administrator to view the application as the target user.
Actual Result
The SDK fails to exchange the code and throws the following error:
Couldn't exchange code.
An authorization_code was supplied for a login which did not originate at the application.
Error Details:
My guess: The SDK detects that the login flow was initiated externally (from the admin panel) rather than through its own internal login initiation endpoint, leading to a suspected Login CSRF attack.
See https://github.com/workos/authkit-js/blob/main/src/create-client.ts#L256