4

Everything I've read about claims-based authentication is essentially about "outsourcing" your authentication process to a trusted 3rd party.

See:
Explain "claims-based authentication" to a 5-year-old
Why Claim based authentication instead of role based authentication

Obviously this lends itself well to using something like Facebook or Google to authenticate. But what if there is no 3rd party? What if you just need users to authenticate against an internal database? For example, in a corporate setting. Is there any reason to use claims over plain old roles? If so, some concrete examples would be helpful.


What I know about claims so far:

  • I understand that claims are key/value pairs rather than booleans like roles.
  • I understand that claims can store roles.
  • And if I understand correctly, claims get stored in an authentication cookie (maybe this is key - fewer database calls vs. roles?).
Community
  • 1
  • 1
EF0
  • 2,940
  • 4
  • 17
  • 23

1 Answers1

2

There are numerous reasons, including these you mentioned.

Another reason is that forms authentication module is incapable of handling too large cookies. Just add few hundred roles and exceed the maximum allowed cookie size (4kb) and you are out of luck. The session authentication module that handles claim cookies automatically splits too large tokens into multiple cookies. And if you don't want to have multiple cookies, just a simple switch to "session mode" automatically stores the large token in the session container and the cookie only contains a small bit of information to reflect that.

Yet another argument for the claim-driven cookie is that you can handle any custom data, including tenant name (in a multitenant application), name of home organisation, age, whatever you can need somewhere later. Forms cookie has the custom data section but it is just a string so that you need a custom serializer to have structured data here.

All this is done by the session authentication module and, frankly, it outperforms the forms module easily then. Switching your forms authentication to the new module is also easy, I've blogged on that some time ago (other people blog about it also):

http://www.wiktorzychla.com/2012/09/forms-authentication-revisited.html

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106