Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the role of the ClaimsPrincipal, why does it have multiple Identities?

I am trying to understand the security model behind .NET based on claims for the application (Relying Party).

I know there are 2 major classes:

  • ClaimsPrincipal - security context for the running process
  • ClaimsIdentity - stores information about the user - authentication status and claims

The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.

To me, the ClaimsPrincipal, other than using it to get the current identity, excuse my ignorance, it's useless.

What am I missing other than what I stated and let's say backwards compatiblity in regard to the ClaimsPrincipal class?

like image 676
Dan Avatar asked Sep 15 '15 10:09

Dan


People also ask

What is ClaimsPrincipal?

ClaimsPrincipal exposes a collection of identities, each of which is a ClaimsIdentity. In the common case, this collection, which is accessed through the Identities property, will only have a single element.

What is ClaimsPrincipal in ASP.NET Core?

In ASP.NET 4. x projects, it was common to use ClaimsPrincipal. Current to retrieve the current authenticated user's identity and claims. In ASP.NET Core, this property is no longer set. Code that was depending on it needs to be updated to get the current authenticated user's identity through a different means.

Is ClaimsPrincipal serializable?

To serialize it, you might have to pass over a SecurityTokenDescriptor (where you put your claims in) to convert your ClaimsPrincipal into a SecurityToken , then the SecurityTokenHandler can convert this into a "string".

What is ClaimsIdentity C#?

The ClaimsIdentity class is a concrete implementation of a claims-based identity; that is, an identity described by a collection of claims. A claim is a statement about an entity made by an issuer that describes a property, right, or some other quality of that entity.


1 Answers

The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.

This is a wrong assumption. In fact the ClaimsPrincipal in context will always have more than 1 identity if your application requires n factor authentication (n > 1).

Try looking at it this way.

Principal = User

Identity = Driver's License, Passport, Credit Card, Google Account, Facebook Account, RSA SecurID, Finger print, Facial recognition, etc.

If you're pulled over by the police, they don't verify you're who you claim to be, based on your driver's license alone. They also need to see your face. Otherwise you could show anyones driver's license.

Hence it makes sense, why authentication can and sometimes should be based on multiple identities. That's why 1 ClaimsPrincipal can have any number of ClaimsIdentity.

like image 195
Ali Reza Dehdar Avatar answered Sep 24 '22 04:09

Ali Reza Dehdar