0

I am trying to wrap my head around the Asp.Net Identity. But unfortunately the available documentation is not very clear or I feel it is just over my head :(

However, follow is a high level understanding based on all day research and reading. When a user is logged in, a collection of claims is provided. Using these claims you can enable/disable feature. For example, if a user claims their age is 30 years old, then you can allow them to view adult only content, but if they claim to be 17 then you deny access to him/her :). Additionally, roles to users like "Admin", "Super Users"... can be used to enable/disable access. If the users with "Admin" role, they you can allow them to access a X action method.

However, there are lots of thing that are confusing me and not allowing me to clearly wrap my head around it.

Scenario

Assume I want to create a new an application with one controller. This controller has two action methods Add and Edit. I am guessing that I will need two claims for each users

new Claim {
  UserId = 10, 
  ClaimType = "Can Add", 
  ClaimValue = null
},

new Claim {
  UserId = 10, 
  ClaimType = "Can Edit", 
  ClaimValue = null
}

new Claim {
  UserId = 5, 
  ClaimType = "Can Edit", 
  ClaimValue = null
}

In this case the user with the Id = 10 "Can Add" and "Can Edit" but the user with the UserId = 5 "Can Add" by is can't edit.

When are these claims are created and assigned to the user? Do I create these claims as needed by manually inserting them in the AspNetUserClaims table? Do I assign them to the users from their profile?

What if I need to add a new claim in the future, dI I need to manually assign this new claim to all the users manually? or is there a way to assign these claims to a default role where the users can inherit?

This may not be a great question, but answering it will help me understand the Identity better.

Jaylen
  • 39,043
  • 40
  • 128
  • 221

1 Answers1

1

Claims should be set when the user login. You should not set it directly in the database. See this post to understand when to set claims.

A claim is information about the user. You can then use that information for authorization (or anything else).

Note that you should always set a value to your Claims or else you might run into inexistant claim error.

Community
  • 1
  • 1
Gabriel GM
  • 6,391
  • 2
  • 31
  • 34
  • I am now more confused. Are the claims temporary and available to a single session only or they are permanent? Is clams a place to obtain info about the user like their name, email, phone.... or a place where I can know what can they do/access like can perform X operation, or both? For some reason I started to think that the authorization package may not support permission base authorization out of the box. Is this something I need to implement and somehow take the permissions and embed them into one custom claim? – Jaylen Sep 19 '16 at 03:45
  • Authorization is not based on Claims (You can create ClaimAuthorizationAttribute if you want, but it's not in the framework by default). If you want to permanantly store the user Name, email or phone, put it in the user. Store data in the user. If you need calculated fields, or just information everywhere, use Claims. Keep in mind that Claims belong to the Identity, not the User. – Gabriel GM Sep 19 '16 at 13:20
  • I see. Thank you for the info. Couple last question, then are claims temporary, if so when are they removed from the database? Also, is role base authorization is the only authorization capability available out of the box? And what is the Authorize(Policy="something") is used for? Again thank a lot for the info you provided so far it helps a lots to understand the over all idea – Jaylen Sep 19 '16 at 14:17
  • Usually, you would assign Claims at log in. The database helps you persist the claims, usually when you want your login to persist after asp session expires. – Gabriel GM Sep 19 '16 at 15:06
  • For authorization, Role based and User based is out of the box. Concerning Policy, you can see it as a group of rules. You can also base policy on Claims. Here is a good site to [explain policy based security](https://leastprivilege.com/2015/10/12/the-state-of-security-in-asp-net-5-and-mvc-6-authorization/). – Gabriel GM Sep 19 '16 at 15:09