Access Control Service v2: Registering Web Identities in your Applications [code]
Posted
by Your DisplayName here!
on Least Privilege
See other posts from Least Privilege
or by Your DisplayName here!
Published on Sat, 21 May 2011 16:51:56 GMT
Indexed on
2011/06/20
16:38 UTC
Read the original article
Hit count: 250
IdentityModel
You can download the full solution here.
The relevant parts in the sample are:
Configuration
I use the standard WIF configuration with passive redirect. This kicks automatically
in, whenever authorization fails in the application (e.g. when the user tries to get
to an area the requires authentication or needs registration).
Checking and transforming incoming claims
In the claims authentication manager we have to deal with two situations.
Users that are authenticated but not registered, and registered (and authenticated)
users. Registered users will have claims that come from the application domain, the
claims of unregistered users come directly from ACS and get passed through. In both
case a claim for the unique user identifier will be generated. The high level logic
is as follows:
public override IClaimsPrincipal Authenticate(
string resourceName, IClaimsPrincipal incomingPrincipal)
{
// do nothing if anonymous request
if (!incomingPrincipal.Identity.IsAuthenticated)
{
return base.Authenticate(resourceName, incomingPrincipal);
}
string uniqueId = GetUniqueId(incomingPrincipal);
// check if user is registered
RegisterModel data;
if (Repository.TryGetRegisteredUser(uniqueId, out data))
{
return CreateRegisteredUserPrincipal(uniqueId, data);
}
// authenticated by ACS, but not registered
// create unique id claim
incomingPrincipal.Identities[0].Claims.Add(
new Claim(Constants.ClaimTypes.Id, uniqueId));
return incomingPrincipal;
}
User Registration
The registration page is handled by a controller with the [Authorize] attribute.
That means you need to authenticate before you can register (crazy eh? ;). The controller
then fetches some claims from the identity provider (if available) to pre-fill form
fields.
After successful registration, the user is stored in the local data store and a new session token gets issued. This effectively replaces the ACS claims with application defined claims without requiring the user to re-signin.
Authorization
All pages that should be only reachable by registered users check for a special
application defined claim that only registered users have. You can nicely wrap that
in a custom attribute in MVC:
[RegisteredUsersOnly]
public ActionResult Registered()
{
return View();
}
HTH
© Least Privilege or respective owner