I want to be able to turn on and off protection for a certain area of my site. I use IdentityServer to populate the claims on an MVC app, and thereby determine access capabilities.
For instance, I have a claim of type 'video_viewer_role' which, when specified, determines whether the current identity can view videos on the website. The idea is that I can switch this functionality on and off via a claim, including for anonymous users.
So, what I want is for my Controller Action to call up IdentityServer and ask whether the current user has a claim, but without triggering an authentication process. So if the user is not authenticated, I'd get an up-to-date claim value for "video_viewer_role" depending on what this was set to in the claims store that backs the identity server.
Is this possible?
You should probably read this ... https://leastprivilege.com/2016/12/16/identity-vs-permissions/ before you go too far along the route of mixing up identity with permissions.
Ideally you shouldn't be providing claims about permissions ('can_view_video') especially if that is going to be changing through the course of a session. Claims are supposed to model the identity of a user, not the things they can do. Then, closer to your protected resources, you can use that identity to verify whether the user has permission to do the things they are trying to do (i.e. view the video).
EDIT: It still sounds like claims aren't the right mechanism for this, IMHO. Claims model the identity of a user, so it doesn't make sense to try to use claims for anonymous users ... the only thing you can say about them is that they are anonymous.
You say you are going to 'switch the functionality on/off', presumably via a db, so why not make the permission checking mechanism just check your db? You could create an attribute for your controller ('RequiresVideoViewerPermissions'), which checks in your db for how you've restricted your video access. For example, you could have a setting called 'VideoViewerRequiredRole' in the db, and then you set its value to either a role or just null if you want everyone to be able to view it. Just as an example, your logged in users might have the role of 'MyAppUser', your admins 'MyAppAdmin' etc ...
This removes the permissions out of claims and allows you to control it for authenticated users and/or anonymous users depending on how you set it up.