// The context object provided will have two properties you can use to determine how to authorize.
// Resource: Provides the resource type found on the method/class attribute
// Action: Provides the action found ont he method/class attribute
public override Task<bool> CheckAccessAsync(ResourceAuthorizationContext context)
{
// check claims and throw forbidden to deny access
// use ClaimsPrincipal Extensions to get to custom claims
var userId = context.Principal.GetOipUserID();
if (userId > 99999)
{
throw new HttpResponseException(HttpStatusCode.Forbidden);
}
//// Role checking example
bool isAdmin = false;
if (context.Principal.IsInRole("Administrators"))
isAdmin = true;
// A complete list of xmlsoap ClaimTypes native to .NET 4.5 can be found at:
// https://msdn.microsoft.com/en-us/library/microsoft.identitymodel.claims.claimtypes_members.aspx
// The following three lines are logically equivalent.
string name = context.Principal.GetClaim(ClaimTypes.Name);
name = context.Principal.GetOipUserName();
name = context.Principal.GetClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name");
// You can generally use the userid or the nameidentifier to get the user id of the authenticated user:
int portalUserId = 0;
int.TryParse(context.Principal.GetClaim("http://tylertechnologies.com/2013/claims/oip/userid"), out portalUserId);
portalUserId = context.Principal.GetOipUserID();
int.TryParse(context.Principal.GetClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), out portalUserId);
int.TryParse(context.Principal.GetClaim(ClaimTypes.NameIdentifier), out portalUserId);
string primaryEmail = context.Principal.GetClaim("http://tylertechnologies.com/2013/claims/oip/primaryemailaddress");
string emailAddress = context.Principal.GetClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");
emailAddress = context.Principal.GetClaim(ClaimTypes.Email);
string firstName = context.Principal.GetClaim("http://tylertechnologies.com/2013/claims/oip/firstname");
string lastName = context.Principal.GetClaim("http://tylertechnologies.com/2013/claims/oip/lastname");
string cell = context.Principal.GetClaim("http://tylertechnologies.com/2013/claims/oip/cellphone");
string smsEmail = context.Principal.GetClaim("http://tylertechnologies.com/2013/claims/oip/smsemail");
string authenticationMethod = context.Principal.GetClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod");
string authenticationTime = context.Principal.GetClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant");
// This is an extended OIP claim. I had to change the web.config (appSettings section) in the front end app:
// <add key="RetrieveExtendedOipClaims" value="true" />
// Changed this property from false to true to get extended claims from OIP
// Be careful. Too many claims = really large cookie.
var odysseyUserId = 0;
Dictionary<string, bool> rights = new Dictionary<string, bool>();
var odysseyUsername = context.Principal.GetClaim("http://tylertechnologies.com/2013/claims/odyssey/odysseyusername");
if (odysseyUsername != null && odysseyUsername.Length > 0)
{
odysseyUserId = OdysseySecurity.GetUserIdForUserName(WebConfigHelper.SiteId, odysseyUsername);
rights = OdysseyUserRights.CheckUserRights(WebConfigHelper.SiteId, odysseyUserId);
}
// WE'RE USING PORTAL IDP, SO WE WON'T CHECK FOR ODYSSEY SUPER USER
// check for system user if using Odyssey IDP and bypass all other security checks
//if (odysseyUserId < 100)
// return Ok();
if (context.Resource() == MyWebAppResources.People)
{
if (context.Action() == MyWebAppResources.Actions.View)
return CheckPersonAccessAsync(context);
if (context.Action() == MyWebAppResources.Actions.ViewAll)
return CheckPeopleAccessAsync(context, rights);
}
return Nok();
}
