Using IdentityModel: Adding ASP.NET Support Part 1 (Authentication based Claims)

Adding claims support to ASP.NET is a perfect candidate for an HTTP module. As a reminiscence to RoleManager, I called mine ClaimsManager. The job of the claims manager is this:

  • Creating claims based on the technical authentication details (Windows, Forms, client certificates etc.)
  • Invoking external claims transformation policies which then build the app specific claims based on the technical ones
  • Making the AuthorizationContext available to pages (via Thread.CurrentPrincipal/Context.User – see my previous post)

The first step is to write an IAuthorizationPolicy to map the ASP.NET authentication details to claims. This is done by inspecting Context.User.Identity and client certificates – if you use a custom identity, you would amend that code (check my previous posts about authorization policies):

// policy that adds ASP.NET authentication type specific claims
public class AspNetAuthenticationPolicy : IAuthorizationPolicy
{
    public bool Evaluate(
      EvaluationContext evaluationContext, ref object state)
    {
        HttpContext context = HttpContext.Current;
        List<ClaimSet> claimSets = new List<ClaimSet>();

        // Windows or Forms authentication
        if (context.User.Identity is WindowsIdentity)
        {
            claimSets.Add(
              new WindowsClaimSet(context.User.Identity as WindowsIdentity));
        }
        else if (context.User.Identity is FormsIdentity ||
                 context.User.Identity is GenericIdentity)
        {
            claimSets.Add(new UserNameClaimSet(context.User.Identity.Name))
        }

        // client certificate
        if (context.Request.ClientCertificate.IsPresent)
        {
            X509Certificate2 certificate = new X509Certificate2(
                context.Request.ClientCertificate.Certificate);

            claimSets.Add(new X509CertificateClaimSet(certificate));
        }

        claimSets.ForEach(set => evaluationContext.AddClaimSet(this, set));
        return true;
    }

    public System.IdentityModel.Claims.ClaimSet Issuer
    {
        get { return ClaimSet.System; }
    }

    public string Id
    {
        get
        {
          return
            “LeastPrivilege.IdentityModel.Web.AspNetAuthorizationPolicy”;
        }  
    }
}

 

In the next post I will show the HTTP module, how it calls the above policy and how it chains in external policies.

This entry was posted in ASP.NET, IdentityModel. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s