Many people asked me how to use claims based authorization in ASP.NET. While I have it working here on my machine (hey – it works on my machine!), I still need to polish the bits before I can release them. For those who want to get their hands dirty immediately – here’s what you’d have to do:

• Write an IPrincipal implementation that wraps an AuthorizationContext
• Write an HTTP module that creates the AuthorizationContext, wraps it in the IPrincipal and puts it on Thread.CurrentPrincipal and Context.User.
• If you need compatibility with the existing URL authorization infrastructure, define a role claim type that should be checked by IPrincipal.IsInRole
• For more functionality, pages would grab the principal from Context.User and retrieve the AuthorizationContext. From there you can get to the claim sets to use the previously presented APIs to do authorization.

There are some additional nice to have features to implement like a permission and a corresponding attribute as well as a configurable claim type for IsInRole.

Bear with me.