62

I am trying to understand the security model behind .NET based on claims for the application (Relying Party).

I know there are 2 major classes:

  • ClaimsPrincipal - security context for the running process
  • ClaimsIdentity - stores information about the user - authentication status and claims

The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.

To me, the ClaimsPrincipal, other than using it to get the current identity, excuse my ignorance, it's useless.

What am I missing other than what I stated and let's say backwards compatiblity in regard to the ClaimsPrincipal class?

christiaantober
  • 251
  • 3
  • 10
Dan
  • 1,555
  • 2
  • 14
  • 30

3 Answers3

122

The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.

This is a wrong assumption. In fact the ClaimsPrincipal in context will always have more than 1 identity if your application requires n factor authentication (n > 1).

Try looking at it this way.

Principal = User

Identity = Driver's License, Passport, Credit Card, Google Account, Facebook Account, RSA SecurID, Finger print, Facial recognition, etc.

If you're pulled over by the police, they don't verify you're who you claim to be, based on your driver's license alone. They also need to see your face. Otherwise you could show anyones driver's license.

Hence it makes sense, why authentication can and sometimes should be based on multiple identities. That's why 1 ClaimsPrincipal can have any number of ClaimsIdentity.

Ali Reza Dehdar
  • 1,991
  • 1
  • 15
  • 17
  • 2
    This was an excellent explanation. Definitely +1 for that. Now, do you happen to have answered with a similar quality and insight on other questions regarding the architecture (or rather philosophy) of the concepts of security setups? I've checked around but wasn't lucky getting anything like that. More specifically, I'd like to see an explanation on the relation between claims, scopes, policies and resources. (NB **not** the definition **nor** common examples but rather **brief** (metaphorical) comparison with "real life" concepts as well as a few typical cases - just like you did here). – Konrad Viltersten Jul 28 '21 at 03:59
  • Thanks for the compliment @KonradViltersten. Have you checked the official documentation? I suggest going through the quick starts to really get a grasp of the concepts of claims, scopes and resources. Not sure what policies is. https://docs.duendesoftware.com/identityserver/v5/fundamentals/ – Ali Reza Dehdar Aug 04 '21 at 21:00
  • 1
    I've been reading up in the official docs for IDS4. I understand they have started a new company (Duende) and will reboot from there- I wasn't sure if the docs in there were reliable yet, though. I will certainly take a look. – Konrad Viltersten Aug 05 '21 at 05:48
12

As stated above a user is of type claimsprincipal which is made up of claimsidentity

I made a diagram to easier explain it:

enter image description here

I would highly suggest you read this if youre struggling with claims https://andrewlock.net/introduction-to-authentication-with-asp-net-core/

Stanley
  • 2,434
  • 18
  • 28
8

One important security principle is "who says" i.e. do we trust the party that is asserting the claims against the identity, so for a particular ClaimsPrincipal we might have different identities each of which is asserting a different set of claims, which allow us to determine the overrall access control in the application,

Let's take the example of an enterprise application which is being authenticated via Windows Authentication where we also want to assert some access control based on teams or departments which are in the application database.

Using the ClaimsTransformationManager we can unify these two sets, i.e. after authenticating the user we can look up the user's team/department in the database and create a set of claims issued by the application.

So now we have the roles (which are claims under the hood) being asserted by Windows and an application identity asserting the custom claims of teams or department.

Paul Hatcher
  • 7,342
  • 1
  • 54
  • 51