With .NET 4.5 a new base class for identities was introduced: the ClaimsIdentity
class. The reason is that Windows Identity Foundation has been fully incorporated into the .NET framework and it has really improved the .NET identity model.
What is a Claim?
This might be a stupid question – but I’ve had a hard time to find a definition on what a claims identity is that feels natural. (It might be a language issue as I’m not a native English speaker and find the word claim somewhat hard to translate properly to Swedish).
I prefer to explain a claim as a piece of fact. A claims identity is a set of claims or facts, bundled together in an identity. Each claim is made up of a key and a value. An example identity for me could contain these claims:
Type | Value |
---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | Anders |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Abel |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | anders@abel.nu |
So far this is just a set of claims or facts. Being structured as a list of keys and values, it can contain pretty much whatever you want. In this case I’ve used the wellknown types for standard parameters, but you can define your own too. Thanks to the flexible structure, any kind of identity can be expressed as a claims identity. It is not only possible – it is used! The old identity classes have all been rewritten to inherit from the new ClaimsIdentity
class.
The Authority
Producing a set of claims is easy – I can make up my own that claims I’m part of the super enterprise extra control administrators group. The make a security system complete there must be an issuer. In the case of a WindowsIdentity
, the Windows Operating system authenticates the user and issues the identity. In the case of more complex federation scenarios there is a secure ticket service (STS) that issues the identity, in the form of a cryptographically signed set of claims.
Everything is now a ClaimsIdentity
The old WindowsIdentity
class has been rewritten to inherit from ClaimsIdentity
. Internally it overrides everything and relies on the old code, but still – it is a huge step towards a more general identity model to have everything behave as claims identities.
I used the following code snippet to output my current Windows identity a set of claims:
ClaimsIdentity identity = WindowsIdentity.GetCurrent(); foreach (var c in identity.Claims) { Console.WriteLine("{0}: {1}\n", c.Type, c.Value); } |
It outputs my user name and the Windows Security IDs of my user and the groups I belong to, presented as claims.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: MYDOMAIN\MYUSER http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid: S-1-5-21-2456453529-233585608-1594492042-3571 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid: S-1-5-21-2456453529-233585608-1594492042-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-21-2456453529-233585608-1594492042-513 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-1-0 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-21-2859876727-1261456666-3238956704-1013 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid: S-1-5-32-544 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-545 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-4 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-2-1 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-11 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-15 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-2-0 ... continued ...
Multiple Authentication Schemes
In a current project, I am about to implement multiple authentication methods into the same application. Having all those authentication methods produce compatible claims identities is a huge advantage. To allow another authentication scheme, the only thing needed is another authentication module that produces the claims identity.
Once inside the application, the authorization code only assumes that there is a claims identity and works against those claims. The authentication and authorization have effectively been decoupled and can be changed independently.