public GroupSidClaimCollection(ClaimsIdentity claimsIdentity, LdapSettings ldapSettings) { if (claimsIdentity is WindowsIdentity) { var windowsIdentity = (WindowsIdentity)claimsIdentity; if (windowsIdentity.Token != IntPtr.Zero) { foreach (var groupId in windowsIdentity.Groups) { var group = groupId.Translate(typeof(NTAccount)); string[] domainGroups = group.Value.Split(new char[] { '\\' }); if (domainGroups.Length > 1) { base.Add(new Claim(ClaimTypes.Role, domainGroups[1], Rights.Identity)); } else { base.Add(new Claim(ClaimTypes.Role, group, Rights.Identity)); } } } } else if (ldapSettings != null) { List <Claim> allClaims = LdapAdapter.RetrieveClaimsAsync(ldapSettings, claimsIdentity.Name).GetAwaiter().GetResult(); foreach (Claim roleClaim in allClaims) { base.Add(roleClaim); } } }
protected override async ValueTask <ReadOnlyCollection <IAuthorizationPolicy> > ValidateTokenCoreAsync(SecurityToken token) { var genericToken = (GenericSecurityToken)token; string principalName = genericToken.Name; if (principalName == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(principalName)); } Claim identityClaim; Claim primaryPrincipal; if (principalName.Contains("@") || principalName.Contains(@"\")) { identityClaim = new Claim(ClaimTypes.Upn, principalName, Rights.Identity); primaryPrincipal = Claim.CreateUpnClaim(principalName); } else { identityClaim = new Claim(ClaimTypes.Spn, principalName, Rights.Identity); primaryPrincipal = Claim.CreateSpnClaim(principalName); } List <Claim> claims = new List <Claim>(2) { identityClaim, primaryPrincipal }; if (_ldapSettings != null) { List <Claim> allCaims = await LdapAdapter.RetrieveClaimsAsync(_ldapSettings, genericToken.GenericIdentity.Name); // if this is made async, many other API changes has to happen. COnsidering this is one of the scenario, ok to take the hit ? foreach (Claim claim in allCaims) { claims.Add(claim); } } List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1) { new UnconditionalPolicy(genericToken.GenericIdentity, new DefaultClaimSet(ClaimSet.Anonymous, claims)) }; return(policies.AsReadOnly()); }