Improving WIF’s Claims-based Authorization – Part 3 (Usage)

In the previous posts I showed off some of the additions I made to WIF’s authorization infrastructure. I now want to show some samples how I actually use these extensions.

The following code snippets are from Thinktecture.IdentityServer on Codeplex.

The following shows the MVC attribute on the WS-Federation controller:

[ClaimsAuthorize(Constants.Actions.Issue, Constants.Resources.WSFederation)]
public class WSFederationController :
Controller

or…

[ClaimsAuthorize(Constants.Actions.Administration, Constants.Resources.RelyingParty)]
public class RelyingPartiesAdminController :
Controller

In other places I used the imperative approach (e.g. the WRAP endpoint):

if (!ClaimsAuthorize.CheckAccess(principal, Constants.Actions.Issue, Constants.Resources.WRAP))
{
   
Tracing.Error("User not authorized"
);
   
return new UnauthorizedResult("WRAP", true);
}

For the WCF WS-Trust endpoints I decided to use the per-request approach since the SOAP actions are well defined here. The corresponding authorization manager roughly looks like this:

public class AuthorizationManager : ClaimsAuthorizationManager
{
   
public override bool CheckAccess(AuthorizationContext
context)
    {
       
var
action = context.Action.First();
       
var
id = context.Principal.Identities.First();

       
// if application authorization request
        if (action.ClaimType.Equals(ClaimsAuthorize
.ActionType))
        {
           
return AuthorizeCore(action, context.Resource, context.Principal.Identity as IClaimsIdentity
);
        }

       
// if ws-trust issue request
        if (action.Value.Equals(WSTrust13Constants.Actions
.Issue))
        {
           
return AuthorizeTokenIssuance(new Collection<Claim>
{
new Claim(ClaimsAuthorize.ResourceType, Constants.Resources
.WSTrust) }, id);
        }

       
return base.CheckAccess(context);
    }
}

You see that it is really easy now to distinguish between per-request and application authorization which makes the overall design much easier.

HTH

This entry was posted in IdentityModel. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s