Improving WIF’s Claims-based Authorization – Part 3 (Usage)

In the previous posts I showed off some of the additions I made to WIF’s authorization infrastructure. I now want to show some samples how I actually use these extensions.

The following code snippets are from Thinktecture.IdentityServer on Codeplex.

The following shows the MVC attribute on the WS-Federation controller:

[ClaimsAuthorize(Constants.Actions.Issue, Constants.Resources.WSFederation)]
public class WSFederationController :


[ClaimsAuthorize(Constants.Actions.Administration, Constants.Resources.RelyingParty)]
public class RelyingPartiesAdminController :

In other places I used the imperative approach (e.g. the WRAP endpoint):

if (!ClaimsAuthorize.CheckAccess(principal, Constants.Actions.Issue, Constants.Resources.WRAP))
Tracing.Error("User not authorized"
return new UnauthorizedResult("WRAP", true);

For the WCF WS-Trust endpoints I decided to use the per-request approach since the SOAP actions are well defined here. The corresponding authorization manager roughly looks like this:

public class AuthorizationManager : ClaimsAuthorizationManager
public override bool CheckAccess(AuthorizationContext
action = context.Action.First();
id = context.Principal.Identities.First();

// if application authorization request
        if (action.ClaimType.Equals(ClaimsAuthorize
return AuthorizeCore(action, context.Resource, context.Principal.Identity as IClaimsIdentity

// if ws-trust issue request
        if (action.Value.Equals(WSTrust13Constants.Actions
return AuthorizeTokenIssuance(new Collection<Claim>
new Claim(ClaimsAuthorize.ResourceType, Constants.Resources
.WSTrust) }, id);

return base.CheckAccess(context);

You see that it is really easy now to distinguish between per-request and application authorization which makes the overall design much easier.


This entry was posted in IdentityModel. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s