Claims without roles?

Question

I'm trying to understand ASP.NET Identity authentication and authorization mechanics. I understood what's a claim & what's a role. In almost every related blog post, or question on here it's advised to use claims and avoid roles. I'm confused at this point. How can I use claims without roles? (I normally assign roles to users after they are registered. )

Any help is appreciated.

Thank you

Answer 1

Roles are claims too, claims are just more general.

In almost every related blog post, or question on here it's advised to use claims and avoid roles.

I can only speculate, as you don't show exact links, that it's not exactly "claims over roles".

It's rather "use the claims-based security model over the role-based security model". This one is easy to explain, since roles are claims too, using claims you have roles but you have possibly other claims, too.

Technically, if you create a ClaimsPrincipal and add Role claims, ASP.NET will correctly recognize roles wherever you'd expect it to - WebForms authorization, MVC authorization filters and other role-based stuff works as usual.

If you need some technical details, consult my blog entry where I show how you easily switch from old role-based Forms Authentication to the new claims-based authentication.

http://www.wiktorzychla.com/2014/11/forms-authentication-revisited-for-net.html

In particular, you just add role claims like this

var identity = new ClaimsIdentity( "custom" );
identity.AddClaim( new Claim( ClaimTypes.Name, txtLogin.Text ) );
identity.AddClaim( new Claim( ClaimTypes.Role, "admin" ) );

var principal = new ClaimsPrincipal( identity );

// write the principal to cookie  

However, what claims give you is the ability to do authorization based on arbitrary claims like "user is older than 18 years" or "user comes from France, Germany or Spain". Such arbitrary statements do not necessarily map to "roles" but are perfect claims.

You do this authorization with a custom claims authorization manager, examples here

https://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthorizationmanager(v=vs.110).aspx