Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding generation of accessors for equivalent claims #1829

Open
wants to merge 16 commits into
base: dev
Choose a base branch
from
Open

Adding generation of accessors for equivalent claims #1829

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
049c4fd
Adding generation of accessors for claims independently of
jmprieur Mar 24, 2022
bbdaf02
Fixing spacing
jmprieur Mar 24, 2022
2b89eea
Fixing a comment.
jmprieur Mar 24, 2022
bb86cda
Remove the fmt claim from the mapping.
jmprieur Mar 24, 2022
8ae45d9
Adding a generator for some documentation
jmprieur Mar 24, 2022
c9f408d
- Fixing names form a few claims accessors
jmprieur Mar 25, 2022
54972e4
Addressing Kalyan's PR feeedback
jmprieur Mar 25, 2022
e524d52
Adding a new assembly with the claims accessors
jmprieur Mar 31, 2022
00cfad6
Adding a new assembly with the claims accessors
jmprieur Mar 31, 2022
5729efe
Merge branch 'jmprieur/ClaimsMappingImprovement' of https://github.co…
jmprieur Mar 31, 2022
99b068f
Merge branch 'jmprieur/ClaimsMappingImprovement' of https://github.co…
jmprieur Mar 31, 2022
15f9d67
Merge branch 'jmprieur/ClaimsMappingImprovement' of https://github.co…
jmprieur Mar 31, 2022
0d353f8
Improving the generated .md by expressing the value of the claims types
jmprieur Mar 31, 2022
92a1c0a
Fixing a few names
jmprieur Mar 31, 2022
6140071
Added methods to get the claims equivalent
jmprieur Mar 31, 2022
a38cc2f
Fixing the namespaces
jmprieur Apr 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions Wilson.sln
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.29230.47
# Visual Studio Version 17
VisualStudioVersion = 17.1.32319.34
MinimumVisualStudioVersion = 10.0.40219.1
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}"
EndProject
Expand Down Expand Up @@ -97,6 +97,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.Val
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.SampleTests", "test\Microsoft.IdentityModel.SampleTests\Microsoft.IdentityModel.SampleTests.csproj", "{578FDF8F-6568-448A-AB93-D94269593932}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.Aad", "src\Microsoft.IdentityModel.Aad\Microsoft.IdentityModel.Aad.csproj", "{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Expand Down Expand Up @@ -227,6 +229,10 @@ Global
{578FDF8F-6568-448A-AB93-D94269593932}.Debug|Any CPU.Build.0 = Debug|Any CPU
{578FDF8F-6568-448A-AB93-D94269593932}.Release|Any CPU.ActiveCfg = Release|Any CPU
{578FDF8F-6568-448A-AB93-D94269593932}.Release|Any CPU.Build.0 = Release|Any CPU
{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Debug|Any CPU.Build.0 = Debug|Any CPU
{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Release|Any CPU.ActiveCfg = Release|Any CPU
{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
Expand Down Expand Up @@ -266,6 +272,7 @@ Global
{DA585910-0E6C-45A5-AABD-30917130FD63} = {BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}
{D17F097F-6024-40BA-A7A0-015BB90F203B} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
{578FDF8F-6568-448A-AB93-D94269593932} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
{9F129E45-1660-42A8-B7D3-0859EBF0CB6A} = {BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {2F681326-7ED4-45F6-BD1D-1119EA388F42}
Expand Down
3,480 changes: 3,480 additions & 0 deletions src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
View file
Open in desktop

Large diffs are not rendered by default.

213 changes: 213 additions & 0 deletions src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
<#@ template debug="false" hostspecific="false" language="C#" #>
<#@ assembly name="System.Core" #>
<#@ import namespace="System.Linq" #>
<#@ import namespace="System.Text" #>
<#@ import namespace="System.Collections.Generic" #>
<#@ output extension=".gen.cs" #>
<#@ include file="ClaimsKnowledge.tti" #>
//------------------------------------------------------------------------------
//
// Copyright (c) Microsoft Corporation.
// All rights reserved.
//
// This code is licensed under the MIT License.
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files(the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions :
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.
//
//------------------------------------------------------------------------------

// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeAccessor.tt USING T4
// DON'T UPDATE MANUALLY

using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;

namespace System.IdentityModel.Aad
{
/// <summary>
/// Defines extension methods to access claims by purpose, and not by name, making it compatible
/// with several versions of tokens.
/// </summary>
public static partial class ClaimPrincipalExtensions
{
<#
foreach(ClaimsKnowledge c in claimsKnowledge)
{
if (c.HasMultipleInstances)
{
#>
/// <summary>
/// Returns all the claims corresponding to <#=c.AccessorName#> on a ClaimsPrincipal:
/// <list type="bullet">
<#
foreach(string s in c.AllClaimNames)
{
#>
/// <item><description><#= s #></description></item>
<#
}
#>
/// </list>
/// This method returns information that is <#= c.IsUsableInAuthorizationPolicies ? string.Empty : "NOT " #>safe to use for authorization.
<#
if (!string.IsNullOrEmpty(c.PrivacyCategory))
{
#>
/// The privacy classification of the information returned is <#= c.PrivacyCategory #>.
<#
}
#>
/// </summary>
/// <param name="claimsPrincipal">Claims principal from which to get the <#=c.AccessorName#>.</param>
public static IEnumerable<string> Get<#=c.AccessorName#>(this ClaimsPrincipal claimsPrincipal)
{
if (claimsPrincipal == null)
{
throw new ArgumentNullException(nameof(claimsPrincipal));
}
return claimsPrincipal.GetAllClaimValues(
<#=string.Join(",\n ", c.AllClaimNames)#>);
}

/// <summary>
/// Returns all the claims corresponding to <#=c.AccessorName#> on a ClaimsPrincipal:
/// <list type="bullet">
<#
foreach(string s in c.AllClaimNames)
{
#>
/// <item><description><#= s #></description></item>
<#
}
#>
/// </list>
/// This method returns information that is <#= c.IsUsableInAuthorizationPolicies ? string.Empty : "NOT " #>safe to use for authorization.
<#
if (!string.IsNullOrEmpty(c.PrivacyCategory))
{
#>
/// The privacy classification of the information returned is <#= c.PrivacyCategory #>.
<#
}
#>
/// </summary>
/// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the <#=c.AccessorName#>.</param>
public static IEnumerable<string> Get<#=c.AccessorName#>(this ClaimsIdentity claimsIdentity)
{
if (claimsIdentity == null)
{
throw new ArgumentNullException(nameof(claimsIdentity));
}
return claimsIdentity.GetAllClaimValues(
<#=string.Join(",\n ", c.AllClaimNames)#>);
}

<#
}
else
{
#>
/// <summary>
/// Returns the first claim corresponding to <#=c.AccessorName#> claim on a ClaimsPrincipal
/// <list type="bullet">
<#
foreach(string s in c.AllClaimNames)
{
#>
/// <item><description><#= s #></description></item>
<#
}
#>
/// </list>
/// This method returns information that is <#= c.IsUsableInAuthorizationPolicies ? string.Empty : "NOT " #>safe to use for authorization.
<#
if (!string.IsNullOrEmpty(c.PrivacyCategory))
{
#>
/// The privacy classification of the information returned is <#= c.PrivacyCategory #>.
<#
}
#>
/// </summary>
/// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the <#=c.AccessorName#>.</param>
public static string Get<#=c.AccessorName#>(this ClaimsPrincipal claimsPrincipal)
{
if (claimsPrincipal == null)
{
throw new ArgumentNullException(nameof(claimsPrincipal));
}
return claimsPrincipal.GetClaimValue(
<#=string.Join(",\n ", c.AllClaimNames)#>);
}

/// <summary>
/// Returns the first claim corresponding to <#=c.AccessorName#> claim on a ClaimsIdentity
/// <list type="bullet">
<#
foreach(string s in c.AllClaimNames)
{
#>
/// <item><description><#= s #></description></item>
<#
}
#>
/// </list>
/// This method returns information that is <#= c.IsUsableInAuthorizationPolicies ? string.Empty : "NOT " #>safe to use for authorization.
<#
if (!string.IsNullOrEmpty(c.PrivacyCategory))
{
#>
/// The privacy classification of the information returned is <#= c.PrivacyCategory #>.
<#
}
#>
/// </summary>
/// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the <#=c.AccessorName#>.</param>
public static string Get<#=c.AccessorName#>(this ClaimsIdentity claimsIdentity)
{
if (claimsIdentity == null)
{
throw new ArgumentNullException(nameof(claimsIdentity));
}
return claimsIdentity.GetClaimValue(
<#=string.Join(",\n ", c.AllClaimNames)#>);
}
<#
}
}
#>


private static Dictionary<string, string[]> equivalentClaims = new Dictionary<string, string[]>
{
<#
foreach(ClaimsKnowledge c in claimsKnowledge)
{
foreach(string claim in c.AllClaimNames)
{
#>
{ <#=claim#>, new string[]{ <#= string.Join(", ", c.AllClaimNames) #> } },
<#
}
}
#>
};
}
}
90 changes: 90 additions & 0 deletions src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@

# Claims

Type | Accessor | Used for authorization | Privacy | Claims
-- | -- | -- | -- | --
string | GetActor | False | | actort<BR/> http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think actor is PII as the return is another token.

string | GetIsGuestAccount | True | | acct
string | GetLastAuthenticatedTime | False | | auth_time
string | GetBirthdate | False | EUII | birthdate<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
string | GetCountry | False | EUII | ctry
string | GetEmail | False | EUII | email<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
string | GetFamilyName | False | EUII | family_name<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
string | GetGender | False | EUII | gender<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
string | GetGivenName | False | EUII | given_name<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
string | GetNameId | False | | nameid<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
string | GetSubject | False | | sub<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
string | GetWebsite | False | | website<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage
string | GetUniqueName | False | EUPI | unique_name<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
string | GetObjectId | True | EUPI | oid<BR/> http://schemas.microsoft.com/identity/claims/objectidentifier
IEnumerable<string> | GetScopes | True | | scp<BR/> http://schemas.microsoft.com/identity/claims/scope
string | GetTenantId | True | OII | tid<BR/> http://schemas.microsoft.com/identity/claims/tenantid
string | GetAuthenticationContextClassReference | False | | acr<BR/> http://schemas.microsoft.com/claims/authnclassreference
string | GetAdfs1Email | False | EUPI | adfs1email<BR/> http://schemas.xmlsoap.org/claims/EmailAddress
string | GetAdfs1Upn | False | EUPI | adfs1upn<BR/> http://schemas.xmlsoap.org/claims/UPN
string | GetAmr | False | | amr<BR/> http://schemas.microsoft.com/claims/authnmethodsreferences
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

amr is definitely used in Authorization as this defines how the subject authenticated with the identity provider.

string | GetAuthenticationMethod | False | | authmethod<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
string | GetCertAppPolicy | False | | certapppolicy<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy
string | GetCertAuthorityKeyIdentifier | False | | certauthoritykeyidentifier<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier
string | GetCertBasicConstraints | False | | certbasicconstraints<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints
string | GetCertEku | False | | certeku<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku
string | GetCertIssuer | False | | certissuer<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer
string | GetCertIssuerName | False | | certissuername<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername
string | GetCertKeyUsage | False | | certkeyusage<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage
string | GetCertNotAfter | False | | certnotafter<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter
string | GetCertNotBefore | False | | certnotbefore<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore
string | GetCertPolicy | False | | certpolicy<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy
string | GetCertPublickey | False | | certpublickey<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa
string | GetCertRawData | False | | certrawdata<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata
string | GetCertSerialNumber | False | | certserialnumber<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber
string | GetCertSignatureAlgorithm | False | | certsignaturealgorithm<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm
string | GetCertSubject | False | | certsubject<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/subject
string | GetCertSubjectAltName | False | | certsubjectaltname<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/san
string | GetCertSubjectKeyIdentifier | False | | certsubjectkeyidentifier<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier
string | GetCertSubjectName | False | | certsubjectname<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname
string | GetCertTemplateInformation | False | | certtemplateinformation<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation
string | GetCertTemplateName | False | | certtemplatename<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename
string | GetCertThumbprint | False | | certthumbprint<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint
string | GetCertX509Version | False | | certx509version<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version
string | GetClientApplication | True | | clientapplication<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
string | GetClientIp | False | EUPI | clientip<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip
string | GetClientUserAgent | False | | clientuseragent<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
string | GetCommonName | False | EUPI | commonname<BR/> http://schemas.xmlsoap.org/claims/CommonName
string | GetDenyOnlyPrimaryGroupSid | False | | denyonlyprimarygroupsid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid
string | GetDenyOnlyPrimarySid | False | | denyonlyprimarysid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid
string | GetDenyOnlySid | False | | denyonlysid<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
string | GetDeviceDisplayName | False | | devicedispname<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname
string | GetDeviceId | False | | deviceid<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier
string | GetDeviceIsManaged | False | | deviceismanaged<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged
string | GetDeviceOsType | False | | deviceostype<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype
string | GetDeviceOsVer | False | | deviceosver<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion
string | GetDeviceOwner | False | EUPI | deviceowner<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner
string | GetDeviceRegId | False | | deviceregid<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid
string | GetEndpointPath | False | | endpointpath<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
string | GetForwardedClientIp | False | | forwardedclientip<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
IEnumerable<string> | GetGroup | False | | group<BR/> http://schemas.xmlsoap.org/claims/Group
IEnumerable<string> | GetGroupsId | False | | groupsid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
string | GetTokenType | False | | idtyp
string | GetIdp | True | | idp<BR/> http://schemas.microsoft.com/identity/claims/identityprovider
string | GetInsideCorporateNetwork | True | | insidecorporatenetwork<BR/> http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
string | GetIsRegisteredUser | True | | isregistereduser<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser
string | GetLoginHint | False | | login_hint
string | GetPrivatePersonalIdentifier | False | EUPI | ppid<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
string | GetPrimaryGroupSid | True | | primarygroupsid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
string | GetPrimarySid | True | | primarysid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
string | GetProxy | False | | proxy<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
string | GetPwdChgEndpoint | False | | pwdchgurl<BR/> http://schemas.microsoft.com/ws/2012/01/passwordchangeurl
string | GetPwdExpDays | False | | pwdexpdays<BR/> http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays
string | GetPwdExpTime | False | | pwdexptime<BR/> http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime
string | GetRelyingPartyTrustId | False | | relyingpartytrustid<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid
IEnumerable<string> | GetRole | True | | role<BR/> roles<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/role
string | GetSid | True | | sid
string | GetUpn | False | EUPI | upn<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
string | GetWindowsAccountName | False | EUPI | winaccountname<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
string | GetVerifiedPrimaryEmail | False | EUPI | verified_primary_email
string | GetVerifiedSecondaryEmail | False | EUPI | verified_secondary_email
string | GetVNet | False | | vnet
string | GetPreferedDataLocation | False | | xms_pdl
string | GetUserPreferedLanguage | False | | xms_tpl
string | GetZeroTouchDeploymentId | False | | ztdid

Loading