rytmis/GroupToRoleClaimAuthenticationManager.cs

## GroupToRoleClaimAuthenticationManager.cs
using System.Linq;
using System.Security.Claims;
using System.Web.Mvc;

namespace WAADDemo {
	/// <summary>
	/// This class uses <see cref="GraphClient"/> to read the AD security groups in which a given
	/// <see cref="ClaimsPrincipal"/> is a direct member and then converts the memberships to group
	/// claims. The group claims are then used to authorize user actions with <see cref="AuthorizeAttribute"/>.
	/// </summary>
	public class GroupToRoleClaimAuthenticationManager : ClaimsAuthenticationManager {
		/// <summary>
		/// This is an arbitrary string identifying the claims issued by this class.
		/// It exists to make it possible to distinguish those claims from other claims.
		/// </summary>
		private const string ClaimIssuerName = "waad-demo-usergroup-roleclaim";

		/// <summary>
		/// Augument <paramref name="incomingPrincipal"/> with claims obtained by converting
		/// the user's direct security group memberships to role claims.
		/// </summary>
		public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal) {
			// In real life, you'll probably want to configure GraphClient in an IoC container
			// and get it here by calling DependencyResolver.Current.GetService<GraphClient>()
			// (unfortunately, the infrastructure doesn't support dependency injection for claims authentication managers)
			// See https://gist.github.com/4182440 for the implementation of GraphClient
			var graphClient = new GraphClient("offbeatdemo.onmicrosoft.com",
				"a071bf68-ee1d-46aa-ac6d-cfddf3826050",
				"e8a3050f-0c61-46bd-9808-ff7dd5dcdb4b",
				"JH0QbohY5/+IW25zzukjuwPjr6mpnMhgicgVA4SfF9A=");

			var userGroups = graphClient.GetUserGroups(incomingPrincipal.Identity.Name);

			// Create one role claim for each group and add them to the claims collection
			// After this, a user in the "Administrators" group will have an "Administrators" role claim
			var roleClaims = userGroups.Select(g => new Claim(ClaimTypes.Role, g.DisplayName, null, ClaimIssuerName));

			((ClaimsIdentity) incomingPrincipal.Identity).AddClaims(roleClaims);

			return incomingPrincipal;
		}
	}
}
	using System.Linq;
	using System.Security.Claims;
	using System.Web.Mvc;

	namespace WAADDemo {
	/// <summary>
	/// This class uses <see cref="GraphClient"/> to read the AD security groups in which a given
	/// <see cref="ClaimsPrincipal"/> is a direct member and then converts the memberships to group
	/// claims. The group claims are then used to authorize user actions with <see cref="AuthorizeAttribute"/>.
	/// </summary>
	public class GroupToRoleClaimAuthenticationManager : ClaimsAuthenticationManager {
	/// <summary>
	/// This is an arbitrary string identifying the claims issued by this class.
	/// It exists to make it possible to distinguish those claims from other claims.
	/// </summary>
	private const string ClaimIssuerName = "waad-demo-usergroup-roleclaim";

	/// <summary>
	/// Augument <paramref name="incomingPrincipal"/> with claims obtained by converting
	/// the user's direct security group memberships to role claims.
	/// </summary>
	public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal) {
	// In real life, you'll probably want to configure GraphClient in an IoC container
	// and get it here by calling DependencyResolver.Current.GetService<GraphClient>()
	// (unfortunately, the infrastructure doesn't support dependency injection for claims authentication managers)
	// See https://gist.github.com/4182440 for the implementation of GraphClient
	var graphClient = new GraphClient("offbeatdemo.onmicrosoft.com",
	"a071bf68-ee1d-46aa-ac6d-cfddf3826050",
	"e8a3050f-0c61-46bd-9808-ff7dd5dcdb4b",
	"JH0QbohY5/+IW25zzukjuwPjr6mpnMhgicgVA4SfF9A=");

	var userGroups = graphClient.GetUserGroups(incomingPrincipal.Identity.Name);

	// Create one role claim for each group and add them to the claims collection
	// After this, a user in the "Administrators" group will have an "Administrators" role claim
	var roleClaims = userGroups.Select(g => new Claim(ClaimTypes.Role, g.DisplayName, null, ClaimIssuerName));

	((ClaimsIdentity) incomingPrincipal.Identity).AddClaims(roleClaims);

	return incomingPrincipal;
	}
	}
	}