public override void OnAuthorization(HttpActionContext actionContext)
{
string issuer = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Name).Issuer;
string UPN = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Name).Value;
string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
using (TodoListServiceMTContext db = new TodoListServiceMTContext())
{
if (!(
// Verifies if the organization to which the caller belongs is trusted.
// This onboarding style is not possible in the consent flow originated by a native app shown in this sample,
// but it could be achieved by triggering consent from an associated web application.
// For details, see the sample https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet
(db.Tenants.FirstOrDefault(a => ((a.IssValue == issuer) && (a.AdminConsented))) != null)
// Verifies if the caller is in the db of onboarded users.
|| (db.Users.FirstOrDefault(b => (b.UPN == UPN) && (b.TenantID == tenantID)) != null)
))
{
actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized,
string.Format("The user {0} has not been onboarded. Sign up and try again", UPN));
}
}
}
