OAuth WCF service sample now impersonates the original user in the thread's current principal.

3 files changed, 64 insertions, 1 deletions

diff --git a/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs b/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
index fce1ad4..10f9ef0 100644
--- a/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
+++ b/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
@@ -1,7 +1,10 @@
 using System;
+using System.Collections.Generic;
+using System.IdentityModel.Policy;
 using System.Linq;
 using System.ServiceModel;
 using System.ServiceModel.Channels;
+using System.ServiceModel.Security;
 using DotNetOpenAuth;
 using DotNetOpenAuth.OAuth;
 
@@ -24,6 +27,19 @@ public class OAuthAuthorizationManager : ServiceAuthorizationManager {
 		if (auth != null) {
 			var accessToken = Global.DataContext.OAuthTokens.Single(token => token.Token == auth.AccessToken);
 
+			var policy = new OAuthPrincipalAuthorizationPolicy(sp.CreatePrincipal(auth));
+			var policies = new List<IAuthorizationPolicy> {
+				policy,
+			};
+			var securityContext = new ServiceSecurityContext(policies.AsReadOnly());
+			if (operationContext.IncomingMessageProperties.Security != null) {
+				operationContext.IncomingMessageProperties.Security.ServiceSecurityContext = securityContext;
+			} else {
+				operationContext.IncomingMessageProperties.Security = new SecurityMessageProperty {
+					ServiceSecurityContext = securityContext,
+				};
+			}
+
 			// Only allow this method call if the access token scope permits it.
 			string[] scopes = accessToken.Scope.Split('|');
 			if (scopes.Contains(operationContext.IncomingMessageHeaders.Action)) {
diff --git a/samples/OAuthServiceProvider/App_Code/OAuthPrincipalAuthorizationPolicy.cs b/samples/OAuthServiceProvider/App_Code/OAuthPrincipalAuthorizationPolicy.cs
new file mode 100644
index 0000000..5bd6b05
--- /dev/null
+++ b/samples/OAuthServiceProvider/App_Code/OAuthPrincipalAuthorizationPolicy.cs
@@ -0,0 +1,45 @@
+using System;
+using System.Collections.Generic;
+using System.IdentityModel.Claims;
+using System.IdentityModel.Policy;
+using System.Linq;
+using System.Web;
+using DotNetOpenAuth.OAuth.ChannelElements;
+
+public class OAuthPrincipalAuthorizationPolicy : IAuthorizationPolicy {
+	private readonly Guid uniqueId = Guid.NewGuid();
+	private readonly OAuthPrincipal principal;
+
+	/// <summary>
+	/// Initializes a new instance of the <see cref="OAuthPrincipalAuthorizationPolicy"/> class.
+	/// </summary>
+	/// <param name="principal">The principal.</param>
+	public OAuthPrincipalAuthorizationPolicy(OAuthPrincipal principal) {
+		this.principal = principal;
+	}
+
+	#region IAuthorizationComponent Members
+
+	/// <summary>
+	/// Gets a unique ID for this instance.
+	/// </summary>
+	public string Id {
+		get { return this.uniqueId.ToString(); }
+	}
+
+	#endregion
+
+	#region IAuthorizationPolicy Members
+
+	public ClaimSet Issuer {
+		get { return ClaimSet.System; }
+	}
+
+	public bool Evaluate(EvaluationContext evaluationContext, ref object state) {
+		evaluationContext.AddClaimSet(this, new DefaultClaimSet(Claim.CreateNameClaim(this.principal.Identity.Name)));
+		evaluationContext.Properties["Principal"] = this.principal;
+		return true;
+	}
+
+	#endregion
+}
diff --git a/samples/OAuthServiceProvider/Web.config b/samples/OAuthServiceProvider/Web.config
index 894ad38..d039daa 100644
--- a/samples/OAuthServiceProvider/Web.config
+++ b/samples/OAuthServiceProvider/Web.config
@@ -143,7 +143,9 @@
 				<behavior name="DataApiBehavior">
 					<serviceMetadata httpGetEnabled="true"/>
 					<serviceDebug includeExceptionDetailInFaults="true"/>
-					<serviceAuthorization serviceAuthorizationManagerType="OAuthAuthorizationManager, __code"/>
+					<serviceAuthorization
+						serviceAuthorizationManagerType="OAuthAuthorizationManager, __code"
+						principalPermissionMode="Custom" />
 				</behavior>
 			</serviceBehaviors>
 		</behaviors>