Sometimes it's a pain in the neck working with Claims. A lot of times you need to look for particular claim and that usually means looping through the claims collection and parsing the value to a particular type.
This little dance is the trade-off for having such a simple interface to a potentially arbitrary collection of claims. Most of the time this works, but every once in a while you need to create a basic user object that contains some strongly typed properties. You could build up a basic object like:
public class User
{
public string UserName { get; set; }
public string EmailAddress { get; set; }
public string Department { get; set; }
public List<string> Roles { get; set; }
}
This would require you to intercept the IClaimsIdentity object and search through the claims collection setting each property manually whenever you wanted to get access to the data. This can get tiresome and is error prone.
I think I've come up with a relatively complete solution to this problem. Basically it works by creating a custom IClaimsIdentity class that sets a User property through reflection. You can then access the user through Thread.CurrentPrincipal.Identity like this:
TypedClaimsIdentity ident = Thread.CurrentPrincipal.Identity as TypedClaimsIdentity;
string email = ident.User.EmailAddress.Value;
var userRoles = ident.User.Roles;
Once you've defined the particular types and their associated claims, the particular values will be set through reflection. So to declare your user properties, create a class like this:
public class MyTypedClaimsUser : TypedClaims
{
public MyTypedClaimsUser()
{
this.Name = new TypedClaim<string>();
this.EmailAddress = new TypedClaim<string>();
this.Roles = new List<TypedClaim<string>>();
this.Expiration = new TypedClaim<DateTime>();
this.AuthenticationMethod = new TypedClaim<string>();
}
[TypedClaim(ClaimTypes.Name, false)]
public TypedClaim<string> Name { get; private set; }
[TypedClaim(ClaimTypes.Email, false)]
public TypedClaim<string> EmailAddress { get; private set; }
[TypedClaim(ClaimTypes.Role, true)]
public List<TypedClaim<string>> Roles { get; private set; }
[TypedClaim(ClaimTypes.Expiration, true)]
public TypedClaim<DateTime> Expiration { get; private set; }
[TypedClaim(ClaimTypes.AuthenticationMethod, false)]
public TypedClaim<string> AuthenticationMethod { get; private set; }
[TypedClaim(ClaimTypes.GroupSid, false)]
public TypedClaim<string> GroupSid { get; private set; }
}
Each property must be defined a certain way. Each property must have a particular attribute set: TypedClaimAttribute. This attribute will help the reflection code associate the property with the expected claim. That way the Name property will always be mapped to the ClaimTypes.Name claim type, which is the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name claim. It also helps by warning the code that it's going to likely have multiple potential values, like the Role claim.
Each property is also of a particular type: TypedClaim<T>. In theory I could have just used simple types like strings but by going this route you can get access to claim metadata like Name.ClaimType or Name.Issuer. TypedClaim<T> is inherited from Claim.
So how does this all work? Well first you need to be able to add the User object into the Identity object. This is done by creating a custom IClaimsIdentity class:
[Serializable]
public class TypedClaimsIdentity : IClaimsIdentity
{
public TypedClaimsIdentity(IClaimsIdentity identity)
{
user = new MyTypedClaimsUser();
if (identity.Claims != null)
this.claims = identity.Claims;
else
claims = new ClaimCollection(identity);
this.Actor = identity.Actor;
this.AuthenticationType = identity.AuthenticationType;
Update();
}
private void Update()
{
user.Update(this.claims);
}
private MyTypedClaimsUser user;
public MyTypedClaimsUser User
{
get
{
Update();
return user;
}
}
private ClaimCollection claims;
public ClaimCollection Claims
{
get
{
Update();
return claims;
}
}
public IClaimsIdentity Actor { get; set; }
public SecurityToken BootstrapToken { get; set; }
public IClaimsIdentity Copy()
{
ClaimsIdentity claimsIdentity = new ClaimsIdentity(this.AuthenticationType);
if (this.Claims != null)
{
claimsIdentity.Claims.AddRange(claims.CopyWithSubject(claimsIdentity));
}
claimsIdentity.Label = this.Label;
claimsIdentity.NameClaimType = this.NameClaimType;
claimsIdentity.RoleClaimType = this.RoleClaimType;
claimsIdentity.BootstrapToken = this.BootstrapToken;
return claimsIdentity;
}
public string Label { get; set; }
public string NameClaimType { get; set; }
public string RoleClaimType { get; set; }
public string AuthenticationType { get; private set; }
public bool IsAuthenticated { get { return claims.Count > 0; } }
public string Name { get { return User.Name.Value; } }
}
There isn't anything spectacularly interesting about this class. The important part is the constructor. It only accepts an IClaimsIdentity object because it's designed as a way to wrap around an already created identity. It then updates the User object through Update().
The User object is updated through reflection. The Update() method calls User.Update(…) which is defined within the base class of MyTypedClaimsUser. This will call into a helper class that looks through the User object and find any properties that contain the TypedClaimAttribute.
EDIT: When it comes to reflection, there is always a better way to do something. My original code was mostly a PoC and didn't make use of existing .NET-isms. I've edited this bit to include the code changes.
The helper class was originally a bit clunky because all it did was look through the properties and if/else if's through their types and parses them:
if (type == typeof(string))
{
return new TypedClaim<string>(selectedClaims.First()) { Value = selectedClaims.First().Value };
}
This really isn't the smartest way to do it because .NET already contains some pretty strong conversion functions; specifically Convert.ChangeType(value, type).
Going this route requires generating the proper TypedClaim<T> though. Many thanks to Anna Lear because she pointed out the MakeGenericType(…) method, which allows you to take a type and convert it to a generic type with the specified type parameters. That way I could dynamically pass a type into a generic without hardcoding anything. This allows the TypedClaim<T> to be set at runtime without having to code for each particular parameter. So you end up with basic logic along the lines of:
Type constructed = typeof(TypedClaim<>).MakeGenericType(new Type[] { genericParamType });
object val = Convert.ChangeType(claim.Value, genericParamType);
return Activator.CreateInstance(constructed, claim.ClaimType, val);
The Activator.CreateInstance method will construct an instance of the particular type which will eventually be passed into PropertyInfo.Value.SetValue(…).
Finally, it's time to integrate this into your web application. The best location is probably going to be through a custom ClaimsAuthenticationManager. It works like this:
public class TypedClaimsAuthenticationManager : ClaimsAuthenticationManager
{
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
if (!incomingPrincipal.Identity.IsAuthenticated)
return base.Authenticate(resourceName, incomingPrincipal);
for (int i = 0; i < incomingPrincipal.Identities.Count; i++)
incomingPrincipal.Identities[i] = new TypedClaimsIdentity(incomingPrincipal.Identities[i]);
return base.Authenticate(resourceName, incomingPrincipal);
}
}
Then to tell WIF about this new CAM you need to make a change to the web.config. Within the Microsoft.IdentityModel/Service section, add this:
<claimsAuthenticationManager type="Syfuhs.IdentityModel.TypedClaimsAuthenticationManager, Syfuhs.IdentityModel" />
By dynamically setting the values of the user object, you can create a fairly robust identity model for your application.
You can download the updated code here: typedclaimsv2.zip (6.21 kb)
You can download the original code here: typedclaims.zip (5.61 kb)