Menu
I'm truly lost in trying to understand ASP.NET Identity 2.1.0 right now, and need to go back over the basics, in order to better understand how the cookies and claims work.
A basic query is around my not being sure I understand why a User needs properties as well as Claims: isn't a Claim just a key+value+authority, and therefore could have been used for storing the Properties(a key+value)? * What's the benefit of keeping two sets of properties (other than Typed get/sets on the Properties)? Is one intended to be more transient than the other? * Is it only to distinguish between what gets serialized and round tripped in the Cookie (only the claims, right?)? * Talking about that...just checking: it is all Claims that are round tripped by being serialized in the cookie, or is it only a subset of them (such as ClaimTypes.Roles)?
Thanks for the help!
626
ASP.NET Core Identity claims can be used to implement authorization i.e. based on user claim value we can decide whether access to a specific resource will be able or not to that user.
A claim is a name value pair that represents what the subject is, not what the subject can do. For example, you may have a driver's license, issued by a local driving license authority. Your driver's license has your date of birth on it.
A user gets assigned to one or more roles through which the user gets access rights. Also, by assigning a user to a role, the user immediately gets all the access rights defined for that role. A claims-based identity is the set of claims.
ASP.NET Identity can be used with all ASP.NET frameworks, such as ASP.NET Web Forms , MVC, Web Pages, Web API etc.ASP.NET Identity has been developed with some major security features like Two-Factor Authentication, Account Lockout, and Account Confirmation etc.
All claims on user are serialised into cookie. Not all ApplicationUser properties are serialised as claims. In fact, most of properties are not serialised into claims (unless specifically coded for).
You confusing 2 concepts: Claims are part of ClaimsPrincipal : IPrincipal that is available on every HTTP request (if user is authenticated). ClaimsPrincipal is created from ApplicationUser when user is signed in and serialised into cookie.
ApplicationUser model is a way to persist user information into database and additional properties are just additional fields for user table in your DB. You can code to have these properties become available in your cookie through adding claims, but they don't become claims automatically for you.
Adding extra information can be achieved through adding a claim or through additional property in ApplicationUser table. You are in control how to add the data. But bear in mind that these can serve different purposes. If you add a property on ApplicationUser, you are saying that all users should have something for that. If you add a claim with the same data, you are saying that this user has some data that other users may not have.
To answer your last question: all claims are serialised and round-tripped in the cookie. So don't put too much information into the cookie - these can add up and you'll be round-tripping too much data.
180
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
