reworked based on comments, added sample using Autofac IOC container to demonstrate usage

Author: 8snit

Microsoft.Owin.Security.Authorization.sln

@@ -36,6 +36,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebApi Custom Handler", "sa
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebApi SelfHost", "samples\WebApi SelfHost\WebApi SelfHost.csproj", "{7CCE795D-D98C-41E7-834E-64A2D7B2D1DF}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebApi Autofac", "samples\WebApi Autofac\WebApi Autofac.csproj", "{D91FE09B-BFBB-4F96-ADAF-2D60716793F2}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -86,6 +88,10 @@ Global
 		{7CCE795D-D98C-41E7-834E-64A2D7B2D1DF}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{7CCE795D-D98C-41E7-834E-64A2D7B2D1DF}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{7CCE795D-D98C-41E7-834E-64A2D7B2D1DF}.Release|Any CPU.Build.0 = Release|Any CPU
+		{D91FE09B-BFBB-4F96-ADAF-2D60716793F2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D91FE09B-BFBB-4F96-ADAF-2D60716793F2}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D91FE09B-BFBB-4F96-ADAF-2D60716793F2}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D91FE09B-BFBB-4F96-ADAF-2D60716793F2}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -102,5 +108,6 @@ Global
 		{43DBB1B1-539B-4740-9CC8-998A742C598A} = {E1616215-7BD6-43BC-BFB8-D2BFD8BCB788}
 		{9DE6373E-47EA-4B02-B1EC-4859F14A6ACD} = {9D82C3FC-EC41-4F7A-8846-D69C4CA1FA5B}
 		{7CCE795D-D98C-41E7-834E-64A2D7B2D1DF} = {9D82C3FC-EC41-4F7A-8846-D69C4CA1FA5B}
+		{D91FE09B-BFBB-4F96-ADAF-2D60716793F2} = {9D82C3FC-EC41-4F7A-8846-D69C4CA1FA5B}
 	EndGlobalSection
 EndGlobal

samples/WebApi Autofac/App_Start/WebApiConfig.cs

@@ -0,0 +1,21 @@
+using System.Web.Http;
+
+namespace WebApi_Autofac
+{
+    public static class WebApiConfig
+    {
+        public static void Register(HttpConfiguration config)
+        {
+            // Web API configuration and services
+
+            // Web API routes
+            config.MapHttpAttributeRoutes();
+
+            config.Routes.MapHttpRoute(
+                name: "DefaultApi",
+                routeTemplate: "api/{controller}/{action}/{id}",
+                defaults: new { id = RouteParameter.Optional }
+            );
+        }
+    }
+}

samples/WebApi Autofac/Controllers/ExampleController.cs

@@ -0,0 +1,36 @@
+using System.Web.Http;
+using Microsoft.Owin.Security.Authorization.WebApi;
+
+namespace WebApi_Autofac.Controllers
+{
+    public class ExampleController : ApiController
+    {
+        [HttpGet]
+        [ResourceAuthorize(Policy = ExampleConstants.EmployeeNumber2Policy)]
+        public IHttpActionResult Authorized()
+        {
+            return Json("You are authorized now (only every third time!)");
+        }
+
+        [HttpGet]
+        [ResourceAuthorize(Roles = "admin")]
+        public IHttpActionResult Denied()
+        {
+            return Json("You should never be presented this text because you will never be authorized to see it");
+        }
+
+        [HttpGet]
+        [ResourceAuthorize(Policy = "Claim_IsUser")]
+        public IHttpActionResult Authorized2()
+        {
+            return Json("You are authorized!");
+        }
+
+        [HttpGet]
+        [ResourceAuthorize(Policy = "Claim_IsAdmin")]
+        public IHttpActionResult Denied2()
+        {
+            return Json("You should never be presented this text because you will never be authorized to see it");
+        }
+    }
+}

samples/WebApi Autofac/CustomAuthorizationPolicyProvider.cs

@@ -0,0 +1,26 @@
+using System;
+using System.Threading.Tasks;
+using Microsoft.Owin.Security.Authorization;
+
+namespace WebApi_Autofac
+{
+    public class CustomAuthorizationPolicyProvider : DefaultAuthorizationPolicyProvider
+    {
+        public CustomAuthorizationPolicyProvider(AuthorizationOptions options) : base(options)
+        {
+        }
+
+        public override Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
+        {
+            if (policyName.StartsWith("Claim_", StringComparison.InvariantCultureIgnoreCase))
+            {
+                var builder = new AuthorizationPolicyBuilder();
+                var claimName = policyName.Substring(6);
+                builder.RequireClaim(claimName, "1", "true");
+                var policy = builder.Build();
+                return Task.FromResult(policy);
+            }
+            return base.GetPolicyAsync(policyName);
+        }
+    }
+}

samples/WebApi Autofac/ExampleConstants.cs

@@ -0,0 +1,9 @@
+namespace WebApi_Autofac
+{
+    public static class ExampleConstants
+    {
+        public const string EmployeeClaimType = "EmployeeNumber";
+        public const string EmployeeOnlyPolicy = "EmployeeOnly";
+        public const string EmployeeNumber2Policy = "EmployeeNumber2";
+    }
+}

samples/WebApi Autofac/Models/EmployeeNumber2Handler.cs

@@ -0,0 +1,34 @@
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security.Authorization;
+
+namespace WebApi_Autofac.Models
+{
+    public class EmployeeNumber2Handler : AuthorizationHandler<EmployeeNumber2Requirement>
+    {
+        private static int _counter = 0;
+
+        public EmployeeNumber2Handler(ILogger logger)
+        {
+            _counter++;
+            if (_counter >= 3)
+                _counter = 0;
+
+            logger.WriteInformation("current: " + _counter);
+        }
+
+        protected override void Handle(AuthorizationContext context, EmployeeNumber2Requirement requirement)
+        {
+            foreach (var claim in context.User.Claims)
+            {
+                if (string.Equals(claim.Type, ExampleConstants.EmployeeClaimType))
+                {
+                    if (claim.Value == _counter.ToString())
+                    {
+                        context.Succeed(requirement);
+                        return;
+                    }
+                }
+            }
+        }
+    }
+}

samples/WebApi Autofac/Models/EmployeeNumber2Requirement.cs

@@ -0,0 +1,9 @@
+using Microsoft.Owin.Security.Authorization;
+
+namespace WebApi_Autofac.Models
+{
+    public class EmployeeNumber2Requirement : IAuthorizationRequirement
+    {
+
+    }
+}

samples/WebApi Autofac/Properties/AssemblyInfo.cs

@@ -0,0 +1,35 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following 
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("WebApi_Autofac")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("WebApi_Autofac")]
+[assembly: AssemblyCopyright("Copyright ©  2016")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible 
+// to COM components.  If you need to access a type in this assembly from 
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("9de6373e-47ea-4b02-b1ec-4859f14a6acd")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version 
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Revision and Build Numbers 
+// by using the '*' as shown below:
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

samples/WebApi Autofac/Startup.cs

@@ -0,0 +1,89 @@
+using System;
+using System.Collections.Generic;
+using System.Reflection;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using System.Web.Http;
+using Autofac;
+using Autofac.Core;
+using Autofac.Integration.Owin;
+using Autofac.Integration.WebApi;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security.Authorization;
+using Microsoft.Owin.Security.Authorization.Infrastructure;
+using Owin;
+using WebApi_Autofac;
+using WebApi_Autofac.Models;
+
+[assembly: OwinStartup(typeof(Startup))]
+
+namespace WebApi_Autofac
+{
+    public class Startup
+    {
+        public delegate AuthorizationDependencies AuthorizationDependenciesFactory(AuthorizationOptions options);
+
+        public void Configuration(IAppBuilder app)
+        {
+            app.UseErrorPage();
+            app.Use(AddEmployeeClaimBeforeAuthorizationCheck);
+            
+            var builder = new ContainerBuilder();
+
+            var config = new HttpConfiguration();
+            WebApiConfig.Register(config);
+
+            builder.RegisterApiControllers(Assembly.GetExecutingAssembly());
+            builder.RegisterType<CustomAuthorizationPolicyProvider>().As<IAuthorizationPolicyProvider>().InstancePerRequest();
+            builder.RegisterAssemblyTypes(Assembly.GetExecutingAssembly()).Where(t => typeof(IAuthorizationHandler).IsAssignableFrom(t)).InstancePerRequest().AsImplementedInterfaces();
+            builder.RegisterType<DefaultAuthorizationService>().As<IAuthorizationService>().InstancePerRequest();
+            builder.RegisterType<AuthorizationDependencies>().InstancePerRequest().PropertiesAutowired();
+            builder.RegisterInstance(new DiagnosticsLoggerFactory().Create("WebApi_Autofac_Logger"))
+                .As<ILogger>()
+                .SingleInstance();
+
+            var container = builder.Build();
+            config.DependencyResolver = new AutofacWebApiDependencyResolver(container);
+
+            app.UseAutofacMiddleware(container);
+            app.UseAutofacWebApi(config);
+
+            app.UseAuthorization(options =>
+            {
+                options.AddPolicy(ExampleConstants.EmployeeNumber2Policy, policyBuilder =>
+                {
+                    policyBuilder.AddRequirements(new EmployeeNumber2Requirement());
+                });
+            }, new AuthorizationDependenciesProvider
+            (
+                (options, context) =>
+                {
+                    var optionsParameter = new ResolvedParameter(
+                        (pi, ctx) => pi.ParameterType == typeof (AuthorizationOptions),
+                        (pi, ctx) => options);
+
+                    context.GetAutofacLifetimeScope().Resolve<IAuthorizationPolicyProvider>(optionsParameter);
+                    var dependenciesFactory = context.GetAutofacLifetimeScope().Resolve<Func<AuthorizationOptions, AuthorizationDependencies>>();
+                    var dependencies = dependenciesFactory?.Invoke(options);
+                    return dependencies;
+                }
+            ));
+
+            app.UseWebApi(config);
+        }
+
+        private static async Task AddEmployeeClaimBeforeAuthorizationCheck(IOwinContext owinContext, Func<Task> next)
+        {
+            var currentIdentity = (ClaimsIdentity) owinContext.Authentication.User.Identity;
+            if (!currentIdentity.HasClaim(x => x.Type == ExampleConstants.EmployeeClaimType))
+            {
+                const string currentEmployeeNumber = "2";
+                currentIdentity.AddClaim(new Claim(ExampleConstants.EmployeeClaimType, currentEmployeeNumber));
+                currentIdentity.AddClaim(new Claim("IsUser", "true"));
+                currentIdentity.AddClaim(new Claim("IsAdmin", "false"));
+            }
+            await next();
+        }
+    }
+}

samples/WebApi Autofac/Web.Debug.config

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- For more information on using web.config transformation visit http://go.microsoft.com/fwlink/?LinkId=125889 -->
+
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+  <!--
+    In the example below, the "SetAttributes" transform will change the value of 
+    "connectionString" to use "ReleaseSQLServer" only when the "Match" locator 
+    finds an attribute "name" that has a value of "MyDB".
+    
+    <connectionStrings>
+      <add name="MyDB" 
+        connectionString="Data Source=ReleaseSQLServer;Initial Catalog=MyReleaseDB;Integrated Security=True" 
+        xdt:Transform="SetAttributes" xdt:Locator="Match(name)"/>
+    </connectionStrings>
+  -->
+  <system.web>
+    <!--
+      In the example below, the "Replace" transform will replace the entire 
+      <customErrors> section of your web.config file.
+      Note that because there is only one customErrors section under the 
+      <system.web> node, there is no need to use the "xdt:Locator" attribute.
+      
+      <customErrors defaultRedirect="GenericError.htm"
+        mode="RemoteOnly" xdt:Transform="Replace">
+        <error statusCode="500" redirect="InternalError.htm"/>
+      </customErrors>
+    -->
+  </system.web>
+</configuration>