How to implement claims-based authentication using Identity 2.0 in Asp.net MVC

Question

I'm working on an Asp.net Mvc application that uses identity 2 to authenticate and authorize users but it seems I need more features than Roles-based, so I want to change my method and use claims-based method to create the application.

Update: Consider I want to set access permission for a specific user to access to a specific action.

but the problem is there is nothing to learn, I mean i know what claim is but i don't know how to implement it and create users and things.

I'm wondering why there's nothing to learn how to implement claims-based out there! that's why I asked this question.

I need something like a prepared project or a step-by-step tutorial. is there anything to teach how to handle claims?

The best thing to do may be to store the custom access information inside the resource database. In other words. you don't need to put it in claims or the identity framework. You've identified the user and the user can be linked to your resource (like add a claim with UserId). No need to send this detailed information across the net. — , May 05 '17 at 23:34
Yeah, I think it's a better approach, but I realized that maybe using the claims are the standard way to perform what I said. By the way, I've done something similar to your idea @RuardvanElburg — Hooman Limouee, May 06 '17 at 05:20
In common the blogs of Dominick Baier (IdentityServer4) are interesting to read. Contains lots of information and thoughts: https://leastprivilege.com/2016/12/16/identity-vs-permissions/ — , May 06 '17 at 07:25

score 4 · Answer 1 · edited May 23 '17 at 12:02

Please take a look at Policies in Asp.Net Core.

In Policiy you can make use of Claims + Roles + whatever you want. All this in built in asp.net.

Here is the official reference:

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies

If you're not using .Net Core you'll need a custom implementation like this authorization filter.

public class ClaimsAuthorizeAttribute : AuthorizeAttribute
{
    private string claimType;
    private string claimValue;
    public ClaimsAuthorizeAttribute(string type, string value)
    {
        this.claimType = type;
        this.claimValue = value;
    }
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        var user = filterContext.HttpContext.User as ClaimsPrincipal;
        if (user != null && user.HasClaim(claimType, claimValue))
        {
            base.OnAuthorization(filterContext);
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

Code extracted from MVC5 Claims version of the Authorize attribute

Hi Ricardo, you mean there's documentation for asp.net core `claims-based` authorization? — Hooman Limouee, May 03 '17 at 06:35
Yes, you have to use policy. In policy you configure witch claims you use. Take a look: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims#adding-claims-checks — Ricardo, May 04 '17 at 01:14

How to implement claims-based authentication using Identity 2.0 in Asp.net MVC

1 Answers1