Adding generation of accessors for equivalent claims

[jmprieur]

Adding generation of accessors for claims independently of AAD token version of the token
See #1800

Developer experience:

1. Add a using:

   using Microsoft.IdentityModel.Tokens.Jwt,

2. In the code, on a ClaimsPrincipal or an IdentityPrincipal instance, you will get access to extension methods that retrieve the claims in the instance independently of them being long or short claims (which depends on the token version: v1.0 or v2.0 tokens). Developers will also get completion telling them if the claim is safe or not for use in authorization policies, and what privacy category they belong to
   

See also the description of the accessors:

ClaimsAccessorDoc.md

Design

This PR a bit different from others: It uses code generation
The claims are described in ClaimsKnowledge.tti (Text Template Include file)
This include file is included in:

• ClaimTypeMapping.tt, which generates ClaimTypeMapping.cs (which was already existing),
• ClaimsTypeAccessor.tt, which generates ClaimsTypeAccessor.gen.cs, which contains a partial class implementation of ClaimsTypeAccessor, the other partial being in ClaimsTypeAccessor.cs
• ClaimsAccessorDoc.tt, which generates ClaimsAccessorDoc.md

[jmprieur]

Added a few explanations

[jmprieur]

This is a T4 file that generates the ClaimTypeMapping.cs from the ClaimsKnowledge.tti.

[jmprieur]

This class is not product code, but control code to generate the product code.
This data structure describes the claims information.

[brentschmaltz]

I am not understanding why we need a template model.
I have used .tt's when using typescript that will generate different jscript mapped to a release.

How does the tti help us?

[jmprieur]

It avoids writing 5000 lines of code

[brentschmaltz]

@jmprieur i will educate myself about this technique.

[jmprieur]

I can spend 10 minutes with you @brentschmaltz if you wish. Also you might want to install this Visual Studio extension: https://marketplace.visualstudio.com/items?itemName=bricelam.T4Language

[brentschmaltz]

@jmprieur Would this require users to install this extension to build?

[jmprieur]

no. not at all. It's an editor extension so that the syntax coloring help understanding the T4 code

[jmprieur]

When you save the ClaimTypeAccessor.tt this generates the ClaimTypeAccessor.gen.cs which contain a partial class implementation of ClaimTypeAccessor.cs

[brentschmaltz]

How do we know 'idp' (or any other claim) is or is not 'usableForAuthorization' ?

[jmprieur]

It might be. I've started a conversation with a few people about what claim should be. (same for the privacy)

[kalyankrishna1]

GetAdfs1Upn

Wouldn't this cause confusion as it references a claim like upn which will almost always be present in tokens issued to users?
It might give n incorrect impression that the user authenticated with ADFS, even if they didn't.

[jmprieur]

I don't know what this claim is. Maybe it's only available when users logged with UPN

[kalyankrishna1]

Acr

there is also acrs, and these two acr and acrs cause enough confusion. So my suggestion would be to use full name if possible , like GetAuthncClassReference

[jmprieur]

@kalyankrishna1: do you mean GetAuthenticationClassReference?

[kalyankrishna1]

GetWinaccountname

EUPI?

[brentschmaltz]

A couple of general concerns:

1. some of the categories seems to be AAD specific, IdentityModel has always tried to be neutral?
2. can users set their own categories?
3. there is no general spec for the category of claims, how can one say claim 'a' is in a category in general?

[jmprieur]

1. Do we want to move this into SAL?
2. The categories are privacy categories (well defined. could almost be an enum). For 3) will follow-up offline

[brentschmaltz]

The ns is System.IdentityModel.Aad, but folder and file names are Microsoft.IdentityModel.*

All our new work uses Microsoft.IdentityModel.*

[jmprieur]

Thank @brentschmaltz: I fixed the generators (which fixed the code)
a38cc2f

[brentschmaltz]

@jmprieur this statement needs some adjustment:

that retrieve the claims in the instance independently of them being long or short claims (which depends on the token version: v1.0 or v2.0 tokens)

long or short claim types is not a result of token version, it is a result of the claims mapping in the JwtSecurityTokenHandler.
AAD v1.0 and v2.0 have different claims that represent the same concept see access_tokens..

For example: v1.appid <-> v2.azp, v1.appidacr <-> v2. azpacr

[brentschmaltz]

amr is definitely used in Authorization as this defines how the subject authenticated with the identity provider.

[brentschmaltz]

i think actor is PII as the return is another token.

[brentschmaltz]

we have been using the coding style:

_ = user ?? throw new ArgumentNullException();

[brentschmaltz]

How will this plug into our logging model?

[brentschmaltz]

We have been using a single location for log messages, each with an identifier that allows for quickly identifying the assembly and location of the issue.
see: LogMessages

[brentschmaltz]

this parameter is a ClaimsPrincipal.
we may want to write:

/// <param name="claimsPrincipal"> the <see cref="ClaimsPrincipal"/> to check for a claim 
/// of one of the requiredClaims.</param>

This comment applies to methods below.

[brentschmaltz]

This method is not returning a Claim, but a Claim.Value (which may be a complex type, bool, int, null).
In this case, the user will not know the type of the Value as that is contained in Claim.ValueType.

One option is to return a Claim.
Our JWT -> Claim logic is here.

JsonWebToken has added TryGetPayloadValue to try and deal with this.