Is it possible to resolve my ClaimsAuthorizationManager using a DI container

Question

I've got my custom ClaimsAuthorizationManager working using the standard configuration file settings but I want to inject a business layer service into my implementation and I can't figure it out.

<system.identityModel>
    <identityConfiguration>
        <claimsAuthorizationManager 
            type="Authentication.AuthorizationManager, Assembly" />
        <claimsAuthenticationManager 
            type="Authentication.ClaimsTransformer, Assembly" />
    </identityConfiguration>
<system.identityModel>

I've tried manually setting it using the static FederatedAuthentication class but with no joy. The ClaimsAuthorizationModule is always null.

FederatedAuthentication.ClaimsAuthorizationModule.ClaimsAuthorizationManager = DependencyConfig.Container.Resolve<ClaimsAuthorizationManager>();

I've tried the answers from this question to try and ensure that the module is loaded...

FederatedAuthentication.WSFederationAuthenticationModule is null at runtime

...but they don't have an effect. I also wonder if the information in those is dated because there's I've got modules with the same names from the System.IdentityModel assembly already in my application.

I'm using Thinktecture IdentityModel but I can't see anywhere in there which solves my problem. This issue seems to hint at it but doesn't give me a solution. https://github.com/thinktecture/Thinktecture.IdentityModel/issues/9

I've resolved the issue with the null ClaimsAuthorizationModule, the answer was out of date and I needed to use the claims auth module from the System.IdentityModel.Services assembly. Now I can inject the ClaimsAuthManager but CheckAccess isn't being called.

score 2 · Accepted Answer · answered Jul 08 '14 at 18:50

2

There's an event you can handle - FederatedAuthentication.ServiceConfigurationCreated. This allows setting the claims authorization manager programmatically.

See here: https://github.com/thinktecture/Thinktecture.AuthorizationServer/blob/master/source/WebHost/Global.asax.cs

answered Jul 08 '14 at 18:50

leastprivilege

18,196
1
34
50

I was handling that event. Part of the issue was that I was trying to load the wrong module in my config, I was trying to use Microsoft.IdentityModel.Services instead of the newer System.IdentityModel.Services. When I figured that out I managed get FederatedAuthentication.ClaimsAuthorizationModule to be initialised but when I set the ClaimsAuthorizationManager on the static FederatedAuthentication object the CheckAccess method was never called. I've reverted my implementation to use service locator but I'll go back and try by setting the manager on the event args object instead. – BenCr Jul 09 '14 at 09:34
Works like a charm and means I only have to do one call to the service locator to resolve the ClaimsAuthManager rather than several hidden ones for it's dependencies. – BenCr Jul 10 '14 at 10:30

score 1 · Answer 2 · answered Jul 08 '14 at 14:55

1

I tried the same thing for the purpose of unit testing. But also failed. I considered that it's just not worth the time spent on it. Just instantiate the business service on the spot and let it do it's job.

answered Jul 08 '14 at 14:55

Liviu Mandras

6,540
2
41
65

I'll service locate it, then it can still be mocked for testing. – BenCr Jul 08 '14 at 14:57
It's not an issue because I'm service locating the authorization manager to initialise the module anyway. – BenCr Jul 08 '14 at 14:57

Is it possible to resolve my ClaimsAuthorizationManager using a DI container

2 Answers2

Linked