Adding custom roles to windows roles in ASP.NET using claims
If you’ve been using WIF (Windows Identity Foundation) for any amount of time this shouldn’t be anything new, but for folks that haven’t had their eyes opened yet to using claims-based identity then I wanted to show how it’s very easy to add custom roles to windows roles (or any other claim type for that matter).
Here’s the requirement: I’m using windows authentication and I get all the groups back for the user as roles, but I want to also add additional application specific roles to the user for authorization purposes.
First thing to note here is that if you’re using windows authentication then you don’t need to use the WindowsTokenRoleProvider since the user’s groups are already loaded via windows authentication and most of the methods in this class throw an exception letting you know they’re not implemented (thus illustrating that role providers aren’t all that useful).
Second, if you’re using .NET 4.5 (since all the identity classes are claims-aware) then it’s dirt simple to augment them with custom claims (including roles). In ASP.NET you’d need to hook the same event in the HTTP pipeline that you’d hook for custom roles (as I already pointed out here). In short you need to load your custom roles (or claims) from your custom store/database and then augment the current principal with them in the Application_PostAuthenticateRequest in global.asax. Here’s the code:
void Application_PostAuthenticateRequest()
{
if (Request.IsAuthenticated)
{
string[] roles = GetRolesForUser(User.Identity.Name);
var id = ClaimsPrincipal.Current.Identities.First();
foreach (var role in roles)
{
id.Claims.Add(new Claim(ClaimTypes.Role, role));
}
}
}
HTH
This is very interesting to me. So can I assume using this method it is more responsive when I want to use the Authorize Attribute on MVC Controllers or individual methods inside of a specific controller? I felt forced to hack create my own Authorize attribute because of the MVC limitations. I think a bit of a hack, but I really needed to define my application roles that would be assigned AD Groups of people. http://thomasgathings.com/?p=34
If what you have above allows me to use the native Authorize Attribute with a string of roles that are application defined I may dance a jig.
These are doing different things — the PostAuthRequest allows for a place to load additional info about user. Prior to claims this was done as roles, but now with claims you can load any data.
The [Authorize] attribute is doing authorization checks. If you built custom attributes to do DB checks, they could instead do checks against the claims that were loaded from the PostAuthRequest.
What would be the best way to add a custom role (or other custom claim) to a security token, in a way that this claim would exist in the session cookie for subsequent requests, and even make the bootstrap token to contain the custom claim, to allow delegating the token to a web API service?
You’d have to issue the token yourself like this: http://brockallen.com/2013/01/26/replacing-forms-authentication-with-wifs-session-authentication-module-sam-to-enable-claims-aware-identity/
Oh sorry, I missed the last part of your question(s) about delegating. As for delegation, it depends on what the backend that you’re calling into is and how it’s expecting the token. If it’s a SOAP API, then look into delegation with WS-Trust. If the backend is a HTTP-based api then you’d need some sort of OAuth2-like authorization. I guess I’m not going to have an answer for you since it very much depends on many factors.