Share via

IAuthorizationPolicy Interface


Defines a set of rules for authorizing a user, given a set of claims.

public interface class IAuthorizationPolicy : System::IdentityModel::Policy::IAuthorizationComponent
public interface IAuthorizationPolicy : System.IdentityModel.Policy.IAuthorizationComponent
type IAuthorizationPolicy = interface
    interface IAuthorizationComponent
Public Interface IAuthorizationPolicy
Implements IAuthorizationComponent


public class MyAuthorizationPolicy : IAuthorizationPolicy
    string id;

    public MyAuthorizationPolicy()
        id =  Guid.NewGuid().ToString();

    public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        bool bRet = false;
        CustomAuthState customstate = null;

        // If state is null, then this method has not been called before, so
        // set up a custom state.
        if (state == null)
            customstate = new CustomAuthState();
            state = customstate;
            customstate = (CustomAuthState)state;

        Console.WriteLine("Inside MyAuthorizationPolicy::Evaluate");

        // If claims have not been added yet...
        if (!customstate.ClaimsAdded)
            // Create an empty list of Claims.
            IList<Claim> claims = new List<Claim>();

            // Iterate through each of the claim sets in the evaluation context.
            foreach (ClaimSet cs in evaluationContext.ClaimSets)
                // Look for Name claims in the current claim set.
                foreach (Claim c in cs.FindClaims(ClaimTypes.Name, Rights.PossessProperty))
                    // Get the list of operations the given username is allowed to call.
                    foreach (string s in GetAllowedOpList(c.Resource.ToString()))
                        // Add claims to the list.
                        claims.Add(new Claim("http://example.org/claims/allowedoperation", s, Rights.PossessProperty));
                        Console.WriteLine("Claim added {0}", s);

            // Add claims to the evaluation context.
            evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer,claims));

            // Record that claims have been added.
            customstate.ClaimsAdded = true;

            // Return true, which indicates this need not be called again.
            bRet = true;
            // This point should not be reached, but just in case...
            bRet = true;

        return bRet;
    public ClaimSet Issuer
        get { return ClaimSet.System; }

    public string Id
        get { return id; }

    // This method returns a collection of action strings that indicate the
    // operations that the specified username is allowed to call.
    private IEnumerable<string> GetAllowedOpList(string username)
        IList<string> ret = new List<string>();

        if (username == "test1")
            ret.Add ( "http://Microsoft.ServiceModel.Samples/ICalculator/Add");
            ret.Add ("http://Microsoft.ServiceModel.Samples/ICalculator/Multiply");
        else if (username == "test2")
            ret.Add ( "http://Microsoft.ServiceModel.Samples/ICalculator/Add");
            ret.Add ("http://Microsoft.ServiceModel.Samples/ICalculator/Subtract");
        return ret;

    // internal class for state
    class CustomAuthState
        bool bClaimsAdded;

        public CustomAuthState()
            bClaimsAdded = false;

        public bool ClaimsAdded { get { return bClaimsAdded; }
                                  set {  bClaimsAdded = value; } }
Public Class MyAuthorizationPolicy
    Implements IAuthorizationPolicy
    Private value_id As String

    Public Sub New()
        value_id = Guid.NewGuid().ToString()

    End Sub 

    Public Function Evaluate(ByVal evaluationContext As EvaluationContext, _
         ByRef state As Object) As Boolean Implements IAuthorizationPolicy.Evaluate

        Dim bRet As Boolean = False
        Dim customstate As CustomAuthState = Nothing

        ' If state is null, then this method has not been called before, so 
        ' set up a custom state.
        If state Is Nothing Then
            customstate = New CustomAuthState()
            state = customstate
            customstate = CType(state, CustomAuthState)
        End If
        Console.WriteLine("Inside MyAuthorizationPolicy::Evaluate")

        ' If the claims have not been added yet...
        If Not customstate.ClaimsAdded Then
            ' Create an empty list of Claims
            Dim claims As New List(Of Claim)

            ' Iterate through each of the claimsets in the evaluation context.
            Dim cs As ClaimSet
            For Each cs In evaluationContext.ClaimSets
                ' Look for Name claims in the current claim set.
                Dim c As Claim
                For Each c In cs.FindClaims(ClaimTypes.Name, Rights.PossessProperty)
                    ' Get the list of operations the given username is allowed to call.
                    Dim s As String
                    For Each s In GetAllowedOpList(c.Resource.ToString())

                        ' Add claims to the list
                        claims.Add(New Claim("http://example.org/claims/allowedoperation", _
                                    s, Rights.PossessProperty))
                        Console.WriteLine("Claim added {0}", s)
                    Next s
                Next c
            Next cs 
            ' Add claims to the evaluation context.
            evaluationContext.AddClaimSet(Me, New DefaultClaimSet(Me.Issuer, claims))

            ' Record that claims have been added.
            customstate.ClaimsAdded = True

            ' Return true, which indicates the method need not to be called again.
            bRet = True
            ' Should never get here, but just in case...
            bRet = True
        End If

        Return bRet

    End Function 'Evaluate

    Public ReadOnly Property Issuer() As ClaimSet Implements IAuthorizationPolicy.Issuer

            Return ClaimSet.System
        End Get
    End Property

    Public ReadOnly Property Id() As String Implements IAuthorizationPolicy.Id

            Return value_id
        End Get
    End Property
    ' This method returns a collection of action strings that indicate the 
    ' operations that the specified username is allowed to call.
    Private Shared Function GetAllowedOpList(ByVal username As String) As IEnumerable(Of String)

        Dim ret As New List(Of String)

        If username = "test1" Then
        ElseIf username = "test2" Then
        End If
        Return ret

    End Function 

    ' This is an internal class for state.
    Class CustomAuthState
        Private bClaimsAdded As Boolean

        Public Sub New()

        End Sub 

        Public Property ClaimsAdded() As Boolean
                Return bClaimsAdded
            End Get
            Set(ByVal value As Boolean)
                bClaimsAdded = value
            End Set
        End Property
    End Class 
End Class


Implement the IAuthorizationPolicy interface to add or map one set of claims to another. An authorization policy examines a set of claims and adds additional claims based on the current set. For example, an authorization policy might evaluate a claim that contains the date of birth and add a claim that asserts that the user is over 21 years old and add an Over21 claim to the EvaluationContext.

Classes that implement the IAuthorizationPolicy interface do not authorize users, but they enable the ServiceAuthorizationManager class to do so. The ServiceAuthorizationManager calls the Evaluate method for each authorization policy in effect. The Evaluate method determines whether additional claims should be added for the user, based on the current context. An authorization policy's Evaluate method may be called multiple times, as claims are added to the EvaluationContext by other authorization policies. When all authorization policies in effect are done, the ServiceAuthorizationManager class makes authorization decisions based upon the final set of claims. The ServiceAuthorizationManager class then creates an AuthorizationContext that contains an immutable set of claims that reflects these authorization decisions.



Gets a string that identifies this authorization component.

(Inherited from IAuthorizationComponent)

Gets a claim set that represents the issuer of the authorization policy.


Evaluate(EvaluationContext, Object)

Evaluates whether a user meets the requirements for this authorization policy.

Applies to

See also