Menu
I'm investigating using claims-based authorization in ASP.NET (MVC Core 1.0). When setting up a ClaimsIdentity, I supply a list of key/value string pairs to represent each Claim. Example:
List<Claim> claims = new List<Claim>
{
new Claim("UserID", user.ID),
new Claim("Name", user.Name),
new Claim("Role", "basic")
};
My understanding is that I can use whatever keys/values I want. But I noticed there are some pre-defined keys available via the ClaimsType class. So, I could potentially use some of these pre-defined keys instead:
List<Claim> claims = new List<Claim>
{
new Claim(ClaimTypes.Sid, user.ID),
new Claim(ClaimTypes.Name, user.Name),
new Claim(ClaimTypes.Role, "basic")
};
Questions:
If I use the pre-defined keys, are there any rules/restrictions regarding the actual values assigned to each key, or is it application defined? For example, is it OK to stick a database primary key in ClaimTypes.Sid, or does ASP.NET have certain expectations of what ClaimTypes.Sid should contain?
Are there any ClaimTypes that are required, or is it completely up to the application to decide what to include or not include? I imagine the answer may depend on specific third-party authentication services I would interact with, but how about the simple case of a self-contained ASP.NET project that does not use any third-party authentication. Does ASP.NET itself have any requirements?
Any links to requirements and/or best practices regarding usage of specific key/values would be appreciated.
403
Asp.Net Identity by default expects user name to be as ClaimTypes.Name (either users display name or mail, whatever you use), role as ClaimTypes. Role and user id (not necessary the row ID, just unique to identify the user i.e. a Guid or email address) as ClaimTypes.
Claims can be created from any user or identity data which can be issued using a trusted identity provider or ASP.NET Core identity. A claim is a name value pair that represents what the subject is, not what the subject can do.
The claims-based authorization works by checking if the user has a claim to access an URL. In ASP.NET Core we create policies to implement the Claims-Based Authorization. The policy defines what claims that user must process to satisfy the policy. We apply the policy on the Controller, action method, razor page, etc.
The six most common types of claim are: fact, definition, value, cause, comparison, and policy. Being able to identify these types of claim in other people's arguments can help students better craft their own.
If I use the pre-defined keys, are there any rules/restrictions regarding the actual values assigned to each key, or is it application defined? For example, is it OK to stick a database primary key in ClaimTypes.Sid, or does ASP.NET have certain expectations of what ClaimTypes.Sid should contain?
Using one of the pre-defined ClaimTypes will also modify the Type property if your resulting Claim. You can find a list of these types here. As far as I know, you are free to put a database ID into a ClaimTypes.Sid, however I would strongly recommend using your own name that calls it what it is.
Are there any ClaimTypes that are required, or is it completely up to the application to decide what to include or not include? I imagine the answer may depend on specific third-party authentication services I would interact with, but how about the simple case of a self-contained ASP.NET project that does not use any third-party authentication. Does ASP.NET itself have any requirements?
Assuming no third-party, you get to decide what is and is not required. Keep in mind that if you are storing claims in a cookie (not a third-party source), your space is somewhat limited; cookies cannot be larger than 4096 bytes in total.
The best articles I have found so far for ASP.NET Core claims authentication are here and here. As of this posting, we are still in RC1, so some details may change prior to the final release.
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
