Class ActorAttributes
- Namespace
- Trellis.Authorization
- Assembly
- Trellis.Authorization.dll
Well-known attribute keys for Attributes used in attribute-based access control (ABAC) checks. Claim-based keys align with Azure Entra ID v2.0 access token claims. Use these constants instead of raw strings to prevent key-casing mismatches.
public static class ActorAttributes- Inheritance
-
ActorAttributes
- Inherited Members
Remarks
Attributes sourced from JWT claims should be mapped during Actor hydration in IActorProvider. Non-claim attributes (e.g., IpAddress, MfaAuthenticated) are derived from the request context.
For the full v2.0 claims reference, see https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference.
Fields
AuthContextClassReference
Authentication context class reference for Conditional Access step-up authentication.
Corresponds to the acrs claim.
Use to enforce that a specific Conditional Access authentication context was satisfied
(e.g., requiring MFA within the last 10 minutes for sensitive operations).
public const string AuthContextClassReference = "acrs"Field Value
AuthorizedParty
The Application ID of the client application that requested the token.
Corresponds to the azp (Authorized Party) claim.
Use to restrict operations to specific client applications.
public const string AuthorizedParty = "azp"Field Value
AuthorizedPartyAcr
Indicates how the client application authenticated.
Corresponds to the azpacr claim.
Values: "0" = public client (no secret), "1" = client secret,
"2" = certificate.
public const string AuthorizedPartyAcr = "azpacr"Field Value
IpAddress
Client IP address. Not a v2.0 JWT claim — populate from
HttpContext.Connection.RemoteIpAddress during Actor hydration.
public const string IpAddress = "ip_address"Field Value
MfaAuthenticated
Whether the actor authenticated with multi-factor authentication.
Not a direct v2.0 claim — derive from the amr (Authentication Methods References)
claim during Actor hydration. Expected values: "true", "false".
public const string MfaAuthenticated = "mfa"Field Value
PreferredUsername
The primary human-readable identifier for the user (usually an email or UPN).
Corresponds to the preferred_username claim.
Suitable for display and audit logging — do not use for authorization logic
as this value can change (e.g., when a user is renamed).
public const string PreferredUsername = "preferred_username"Field Value
TenantId
Tenant identifier. Corresponds to the tid claim in Azure Entra ID v2.0 tokens.
The GUID of the Microsoft Entra tenant that issued the token.
public const string TenantId = "tid"