Access Control Service v2: Registering Web Identities in your Applications [code]
- by Your DisplayName here!
You can download the full solution here.
The relevant parts in the sample are:
Configuration
I use the standard WIF configuration with passive redirect. This kicks automatically
in, whenever authorization fails in the application (e.g. when the user tries to get
to an area the requires authentication or needs registration).
Checking and transforming incoming claims
In the claims authentication manager we have to deal with two situations.
Users that are authenticated but not registered, and registered (and authenticated)
users. Registered users will have claims that come from the application domain, the
claims of unregistered users come directly from ACS and get passed through. In both
case a claim for the unique user identifier will be generated. The high level logic
is as follows:
public override IClaimsPrincipal Authenticate(
string resourceName, IClaimsPrincipal incomingPrincipal)
{
// do nothing
if anonymous request
if (!incomingPrincipal.Identity.IsAuthenticated)
{
return base.Authenticate(resourceName,
incomingPrincipal);
}
string uniqueId
= GetUniqueId(incomingPrincipal);
// check if
user is registered
RegisterModel data;
if (Repository.TryGetRegisteredUser(uniqueId, out data))
{
return CreateRegisteredUserPrincipal(uniqueId,
data);
}
// authenticated
by ACS, but not registered
//
create unique id claim
incomingPrincipal.Identities[0].Claims.Add(
new Claim(Constants.ClaimTypes.Id,
uniqueId));
return incomingPrincipal;
}
User Registration
The registration page is handled by a controller with the [Authorize] attribute.
That means you need to authenticate before you can register (crazy eh? ;). The controller
then fetches some claims from the identity provider (if available) to pre-fill form
fields.
After successful registration, the user is stored in the local data store and a new
session token gets issued. This effectively replaces the ACS claims with application
defined claims without requiring the user to re-signin.
Authorization
All pages that should be only reachable by registered users check for a special
application defined claim that only registered users have. You can nicely wrap that
in a custom attribute in MVC:
[RegisteredUsersOnly]
public ActionResult Registered()
{
return View();
}
HTH
