Given a specific set of permissions, e.g. EditPage, CreateProject, ModifyUser, I am currently looking at two different ways of creating some custom claims types to model this behavior. I can find little information online about the best way to do this and hoping for some feedback on how you have done this in your own systems.
The first approach I've considered is to use an "action" claim type, with the specific action specified by the value of the claim:
var claims = new []
{
new Claim("http://schemas.company.com/claims/project/action", "EditPage"),
new Claim("http://schemas.company.com/claims/project/action", "CreateProject"),
new Claim("http://schemas.company.com/claims/project/action", "ModifyUser")
}
The second approach is to use the claim type itself to define the action being performed, the value is not used. This is like a "PossessProperty" style of security where as long as the user has the claimtype, they can perform the action.
var claims = new []
{
new Claim("http://schemas.company.com/claims/project/editpage", ""),
new Claim("http://schemas.company.com/claims/project/createproject", ""),
new Claim("http://schemas.company.com/claims/project/modifyuser", "")
}
Also note, in the claim types above I've included a "project" discriminator so that I can differentiate between a user who can edit a page in Project A but not Project B.
We're also planning on storing all of these custom claims in a central "Authorization" database, so the uniqueness is required.
Any thoughts or feedback would be greatly appreciated.
Well - you haven't given more details about your intent - but if you plan to make these claims part of the identity of the user - this is clearly an anti-pattern.
Claims describe the identity of the user (which might include coarse grained authorization data like roles). To make finer grained authorization decisions, use something like the ClaimsAuthorizationManager in .NET.
In this extensibility point you make a informed decision based on
a) the identity of the user b) the resource the user is trying to access c) the operation the user is trying to do on the resource
So in other words - claims are the input to your authorization decisions, not the direct answer.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With