Sample program to add claim to token in delegated auth use case:
using System.IO;
using IdentityClaim = Microsoft.IdentityModel.Claims.Claim;
using IdentityClaimTypes = Microsoft.IdentityModel.Claims.ClaimTypes;
using IdentityClaimsPrincipal = Microsoft.IdentityModel.Claims.ClaimsPrincipal;
using ClaimsIdentityCollection = Microsoft.IdentityModel.Claims.ClaimsIdentityCollection;
IClaimsIdentity claimsIdentity = new ClaimsIdentity(Thread.CurrentPrincipal.Identity);
var claimValue = string.Format("claim://{0}@{1}", TargetResourceRole.PrivilegedDeploymentOperator, "sample-resource-folder-test");
var identityClaim = new IdentityClaim(IdentityClaimTypes.Role, claimValue);
claimsIdentity.Claims.Add(identityClaim);
ClaimsIdentityCollection claimsIdentityCollection = new ClaimsIdentityCollection(new List<IClaimsIdentity>() { claimsIdentity });
var newIcp = IdentityClaimsPrincipal.CreateFromIdentities(claimsIdentityCollection);
Thread.CurrentPrincipal = newIcp;
The above example uses the Microsoft.IdentityModel namespace to describe the elevation of privilege to run some code.
Now for the delegated auth use case:
string homeSecurityTokenService = ConfigurationManager.GetSetting("HomeSecurityTokenService");
string SecurityTokenServiceRealm = ConfigurationManager.GetSetting("SecurityTokenServiceRealm");
string serviceName = ConfigurationManager.GetSetting("ServiceName");
var serverHomeSecurityTokenService = new ServerHomeSecurityTokenService(
new Uri(SecurityTokenServiceRealm),
homeSecurityTokenService,
null);
var serviceIdentity = new ServiceIdentity(
serviceDnsHostName: targetDnsName,
serviceNames: new string[] { serviceName });
WebSecurityTokenAuthenticator authenticator = new WebSecurityTokenAuthenticator(serverHomeSecurityTokenService, serviceIdentity);
ClaimsIdentityCollection collection = authenticator.Authenticate(authorizationHeader, resourceName);
var claimValue = string.Format("claim://{0}@{1}", TargetResourceRole.PrivilegedDeploymentOperator, payload.Properties.Folder);
collection.Add(new ClaimsIdentity(new List<Claim>() { new Claim(ClaimTypes.Role, claimValue) }));
var authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(
tokenIssuanceUrl, true);
StringBuilder sb = new StringBuilder();
collection.ForEach(x => x.Claims.ForEach(c => sb.Append(c.Value + ",")));
var claims = sb.ToString().Trim(',');
var authenticationResult =
authContext.AcquireTokenAsync(resourceName, clientCredential.ClientId, new Uri("https://DstsInternalNativeClient"), new PlatformParameters(PromptBehavior.Auto), userIdentifier, extraQueryParameters, claims, synchronizationContext);
var newDelegatedToken = authResult.AccessToken;
No comments:
Post a Comment