Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the claims in ASP .NET Identity

Can somebody please explain, what the claim mechanism means in new ASP.NET Identity Core?

As I can see, there is an AspNetUserLogins table, which contains UserId, LoginProvider and ProviderKey.

But, I still can't understand or find any information on when data is added to the AspNetUserClaims table and what situations this table is used for?

like image 951
Maxim Zhukov Avatar asked Feb 08 '14 11:02

Maxim Zhukov


People also ask

What are claims in Identity Server?

Claims are pieces of information about a user that have been packaged, signed into security tokens and sent by an issuer or identity provider to relying party applications through a security token service (STS).

Why do we use claims?

Making a claim in your writing allows you to present the main idea of the document in the form of an argument that you will support with evidence throughout the document. A claim statement is a type of thesis statement in which you present the main idea of what you are writing in the form of an argument.

What is claims identity model?

The claims-based identity is an identity model in Microsoft SharePoint Foundation 2010 and Microsoft SharePoint Server 2010 that includes features such as authentication across users of Windows-based systems and systems that are not Windows-based, multiple authentication types, stronger real-time authentication, a ...


1 Answers

what does claim mechanism means in new ASP.NET Identity Core?

There are two common authorization approaches that are based on Role and Claim.

Role-Based Security

A user gets assigned to one or more roles through which the user gets access rights. Also, by assigning a user to a role, the user immediately gets all the access rights defined for that role.

Claims-Based Security

A claims-based identity is the set of claims. A claim is a statement that an entity (a user or another application) makes about itself, it's just a claim. For example a claim list can have the user’s name, user’s e-mail, user’s age, user's authorization for an action. In role-based Security, a user presents the credentials directly to the application. In a claims-based model, the user presents the claims and not the credentials to the application. For a claim to have practical value, it must come from an entity the application trusts.

Below steps illustrate the sequence of that happens in a claims-based security model:

  1. The user requests an action. The relying party (RP) application asks for a token.
  2. The user presents the credentials to the issuing authority that the RP application trusts.
  3. The issuing authority issues a signed token with claims, after authenticating the user’s credentials.
  4. The user presents the token to the RP application. The application validates the token signature, extracts the claims, and based on the claims, either accepts or denies the request.

But, i still can't understand and find any information, when data addes to AspNetUserClaims and what situations this table using for?

When you are in a situation where a Role-Based Security is not used, and you chose to use Claim-Based Security, you would need to utilize AspNetUserClaims table. For how to use Claims in ASP.NET Identity, see below link for more information.

http://kevin-junghans.blogspot.com/2013/12/using-claims-in-aspnet-identity.html

Update

What time i have to use role-based security and when claim-based? Could you please write a few examples?

There isn't a very clear situation where you would or would not use Role-Based or Claim-Based Security, Not like a case where you would use A rather than B.

But, claim-Based access control allows better separation of authorization rules from the core business logic. When authorization rules change, the core business logic remain unaffected. There will be situations where you might prefer using Claim-Based approach.

Sometimes claims aren't needed. This is an important disclaimer. Companies with a host of internal applications can use Integrated Windows Authentication to achieve many of the benefits provided by claims. Active Directory does a great job of storing user identities, and because Kerberos is a part of Windows, your applications don't have to include much authentication logic. As long as every application you build can use Integrated Windows Authentication, you may have already reached your identity utopia. However, there are many reasons why you might need something other than Windows authentication. You might have web-facing applications that are used by people who don't have accounts in your Windows domain. Another reason might be that your company has merged with another company and you're having trouble authenticating across two Windows forests that don't (and may never) have a trust relationship. Perhaps you want to share identities with another company that has non-.NET Framework applications or you need to share identities between applications running on different platforms (for example, the Macintosh). These are just a few situations in which claims-based identity can be the right choice for you.

For more information, please visit http://msdn.microsoft.com/en-us/library/ff359101.aspx

like image 161
Lin Avatar answered Sep 22 '22 18:09

Lin