I am trying to understand the security model behind .NET based on claims for the application (Relying Party).
I know there are 2 major classes:
The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.
To me, the ClaimsPrincipal, other than using it to get the current identity, excuse my ignorance, it's useless.
What am I missing other than what I stated and let's say backwards compatiblity in regard to the ClaimsPrincipal class?
ClaimsPrincipal exposes a collection of identities, each of which is a ClaimsIdentity. In the common case, this collection, which is accessed through the Identities property, will only have a single element.
In ASP.NET 4. x projects, it was common to use ClaimsPrincipal. Current to retrieve the current authenticated user's identity and claims. In ASP.NET Core, this property is no longer set. Code that was depending on it needs to be updated to get the current authenticated user's identity through a different means.
To serialize it, you might have to pass over a SecurityTokenDescriptor (where you put your claims in) to convert your ClaimsPrincipal into a SecurityToken , then the SecurityTokenHandler can convert this into a "string".
The ClaimsIdentity class is a concrete implementation of a claims-based identity; that is, an identity described by a collection of claims. A claim is a statement about an entity made by an issuer that describes a property, right, or some other quality of that entity.
The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.
This is a wrong assumption. In fact the ClaimsPrincipal in context will always have more than 1 identity if your application requires n factor authentication (n > 1).
Try looking at it this way.
Principal = User
Identity = Driver's License, Passport, Credit Card, Google Account, Facebook Account, RSA SecurID, Finger print, Facial recognition, etc.
If you're pulled over by the police, they don't verify you're who you claim to be, based on your driver's license alone. They also need to see your face. Otherwise you could show anyones driver's license.
Hence it makes sense, why authentication can and sometimes should be based on multiple identities. That's why 1 ClaimsPrincipal can have any number of ClaimsIdentity.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With