0

I'm trying to learn ASP.NET.

There's a course that I'm following and I can't really understand a few things.

Here's the code, in a controller:

[HttpPost("login")]
        public async Task<IActionResult> Login(UserForLoginDto userForLoginDto)
        {
            var userFromRepo = await _repo.Login(userForLoginDto.Username.ToLower(), userForLoginDto.Password);
            if (userFromRepo == null)
            {
                return Unauthorized();
            }

            var claims = new[]
            {
                new Claim(ClaimTypes.NameIdentifier, userFromRepo.Id.ToString()),
                new Claim(ClaimTypes.Name, userFromRepo.Username)
            };

            var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config.GetSection("AppSetings:Token").Value));
            var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha512Signature);
v
            var tokenDescriptor = new SecurityTokenDescriptor{
                Subject = new ClaimsIdentity(claims),
                Expires = DateTime.Now.AddDays(1),
                SigningCredentials = creds
            };

            var tokenHandler = new JwtSecurityTokenHandler();
            var token = tokenHandler.CreateToken(tokenDescriptor);
            
            return Ok(new {
                token = tokenHandler.WriteToken(token)
            });
        }

I can't understand the claims array. I've been searching online for a while, and I don't get it. Why do I need it and how does it work?

I've found this to be quite useful, but I still don't

What is the claims in ASP .NET Identity

fully understand it.

Can anybody help me get this concept? Why do we need it and how does it work?

Thanks.

Preben Huybrechts
  • 5,853
  • 2
  • 27
  • 63
Octavian Niculescu
  • 423
  • 4
  • 10

2 Answers2

1

What are claims?
Assuming you are an officer at the boder and your job is to issue immigration permit to immigrants. Before you issue a permit to anyone, the person must be able to identify himself that he really belongs to the country which he is claiming to come from. That person might bring his Certificate of birth, National Id Card, Visa or any authorized means of Identification. Those things are called claims. The person has to show you something which he has to prove to you that really he is from that country. Sometimes, one claim presented is enough. At another country, they might say that you provide at least three claims (i.e means of identification) before they issue you this permit just to make it tough for countries with higher security issues.

That array could simply just have one claim inside, you could choose to put as much claims as you wish and make other rules internally to make your system more tough and secure. Its up to you.

Tavershima
  • 141
  • 8
1

The best example is the driving license. A driving license can have the following claims

  • Name
  • Birthday
  • Allowed to drive a car
  • Allowed to drive a motorcycle
  • Allowed to dive a truck
  • Allowed to dive a bus
  • ...

When the police stops you in your vehicle it will validate if you are authorised to drive the specific vehicle and if the issuer is to be trusted before allowing you to continue your journey. To get more info you could read this article.

The same concept goes with claim based authorisation. A specific user can have different claims that can grant him access to different functionalities.

When you connect an authorization provider like Facebook or Google, you can ask for specific claims, not very application needs a birthdate to function, while some others might need it to verify if the user is of legal age.

Preben Huybrechts
  • 5,853
  • 2
  • 27
  • 63