What is the idea behind IIdentity and IPrincipal in .NET

Question

So, what is the purpose for existence of both IIdentity and IPrincipal, and not some IIdentityMergedWithPrincipal? When is it not enough to implement both in same class?

Also, to understand purpose, I'd like to know where this concept comes from:

It is originated in .Net
There is concept of Identity/Principal as design pattern, which System.Security.Principal implemented in those interfaces
It is originated somewhere else and supported for compatibility

Therefore, does UserPrincipal from System.DirectoryServices act similarly to IPrincipal but not implement it by accident or by intention?

P.S. I'm looking for reasoning behind idea, not benefits/controversies comparison, so please try not to start opinion-based discussion

have you read the following articles of the many others that are out there http://msdn.microsoft.com/en-us/library/ee748503.aspx What do you not understand.. ? try reading up on `PrincipalContect as well I think that you will gain a better understanding on the how and why — MethodMan, Nov 24 '14 at 15:10
The Active Directory `Principal` classes have ***absolutely nothing*** to do with the `IIdentity` and `IPrincipal` in the core .NET framework. Those are totally independent and not related in any way, shape or form (other than the naming...) — marc_s, Nov 24 '14 at 15:40
Surely, Active Directory Principal is not in any way dependent on IPrincipal, however I think that there is implicit connection. For example: compare IPrincipal.IsInRole(string role) and UserPrincipal.IsMemberOf(GroupPrincipal group). I think it is possible to write custom IPrincipal wrapper around UserPrincipal — Aloraman, Nov 24 '14 at 15:53
It should be noted that there is **absolutely no reason** why you couldn't create a concrete type that implements both `IPrincipal` and `IIdentity` if you really wanted to. `public class MyIdentityMergedWithPrincipal : IPrincipal, IIdentity`. If the interfaces were rolled into one on the other hand, you wouldn't be able to separate them like you can (and probably should) now. The separate interfaces are for separate concerns. — NightOwl888, Jul 11 '16 at 12:09

score 74 · Accepted Answer · answered Nov 24 '14 at 15:54

74

IIdentity is just used for the user's authenticated identity, regardless of what roles they may have.

IPrincipal is used to combine a user's identity with the authorized roles they have in a given security context.

For example, you can use a third-party login provider, like Facebook or Google, to get the user's identity, but you will not get a principal from those providers, as they don't provide any roles. You can use your own application or a third-party role-based authorization provider to apply roles to, say, a FacebookIdentity or GoogleIdentity. A different application can expect a different principal, with its own roles, but still use the same identity as in another application.

answered Nov 24 '14 at 15:54

Mark Cidade

98,437
31
224
236

2

So, there **are** used to separate authentication and authorization concern. Thank you for your example, now I see that they can be not dependent on each other, therefore separate entities. – Aloraman Nov 24 '14 at 16:02
3

One point of confusion I've found is that frequently, people are putting identity-related properties (e.g. name, email) on the IPrincipal implementation rather than the IIdentity, because they can't be bothered to type e.g. User.Identity.Email (in the days of Intellisense and auto-complete), and would rather save a few keystrokes and enter User.Email. – David Keaveny Aug 22 '16 at 23:53
1

Then why does `IIdentity` have an `IsAuthenticated` property? – Sedat Kapanoglu Mar 07 '17 at 01:10
5

Unauthenticated users can still have an `IIdentity` associated with them, in which case the `IsAuthenticated` property will be `false` (e.g., anonymous web site visitors). – Mark Cidade Mar 08 '17 at 17:08

score 16 · Answer 2 · edited Apr 13 '16 at 19:37

A principal is the security context of a user.

In the case of .NET, a principal supports the concept of having more than one identity (This has nothing to do with claims yet). This is particularly important when it comes to semantics that developers need to deal with when it comes to user identity. You may be called on as a developer to support multiple identities coming from different sources (identity providers IdPs), for example: Twitter, Google, whatever.

So what's the different between a IPrincipal and IIDentity? IPrincipal is the security context (for a single thread), and the IIDentity is the set of attributes associated with that user coming from a specific identity provider / authority.

score 10 · Answer 3 · answered Oct 14 '15 at 18:33

As MSDN site says:

The identity object encapsulates information about the user or entity being validated. At their most basic level, identity objects contain a name and an authentication type.

whereas

The principal object represents the security context under which code is running.

Refer to the above link for a lot more info.

HTH

score -4 · Answer 4 · edited Mar 21 '17 at 10:28

-4

public class HBPrincipal : IPrincipal
{
     private HBIdentity _identity;

     public HBPrincipal(HBIdentity identity)
    {
        _identity = identity;
    }

    public IIdentity Identity
    {
        get
        {
            return _identity;
        }
    }

    public bool IsInRole(string role)
    {
        // TODO implement roles
        return false;
    }
}

edited Mar 21 '17 at 10:28

Arsen Mkrtchyan

49,896
32
148
184

answered Mar 21 '17 at 06:00

user7743682

1

6

This does not seem to answer the question at all. – Pang Mar 21 '17 at 06:21
1

This needs some description as to what you are actually trying to convey here to the OP. – Keith Jackson Oct 29 '19 at 17:06

What is the idea behind IIdentity and IPrincipal in .NET

4 Answers4

Linked