What is the claims in ASP .NET Identity

Question

Can somebody please explain, what the claim mechanism means in new ASP.NET Identity Core?

As I can see, there is an AspNetUserLogins table, which contai

Answer 1

There are two types of authentication in ASP.Net identity.

1. Role based
2. Claim based

You can either use one of them or both at the same time. Use role based when you have very defined things. For example you create two rolea teacher and student. Only teacher can add subjects. So you assigned teacher role to those users whose you want to have access to add subjects.

Claim based is more flexible. Suppose you have a requirement some students can also add subjects. In this case you have to create one more role who can be student and access to add subject. But if you are using claim based it would be very easy. Just create claim like addSubject and assign it to any user whise you want to access to add aubject.

Answer 2

Just to add more on what @Lin has said above. I am specifically refering to the question:

What time i have to use role-based security and when claim-based? Could you please write a few examples?

Consider a case where you have a clocking system where you have a technician and a manager. At the end of every week, the technician must arrange reports with clocking information showing hours of work artisans worked for that week, which is consolidated and used by payroll. Such systems often have to be amended or corrected before final reports are submitted, because you don't want to overpay or underpay your employees. You can use a Role-Based approach for the Manager and Technician by creating a Manager Role and Technician Role. But the Manager Role is the one with the ability to access and edit the clocking information of the artisans. On the other hand, you can have the Technician Role without these abilities to access that information. But Here's the interesting part; A manager can make a claim and allow a technician to access the Clocking Systems and make reports. So a claim can be made only for access without edit or can be made with access and edit capabilities.

It is more like saying, Well, By default as the manager I can access some information that my technician can't access. But I am not always around the office? what can I do so that he can still do the work even when I am not around? To solve this the system can have the feature for the managers to create claims for people without access to some specific information. We often see these everywhere in our ERP systems. A user without access to some modules and when they get promoted they're giving permission to more modules of the ERP system, sometimes keeping the same user role.

This is an example you can consider to understand claims and roles more.

Answer 3

what does claim mechanism means in new ASP.NET Identity Core?

There are two common authorization approaches that are based on Role and Claim.

Role-Based Security

A user gets assigned to one or more roles through which the user gets access rights. Also, by assigning a user to a role, the user immediately gets all the access rights defined for that role.

Claims-Based Security

A claims-based identity is the set of claims. A claim is a statement that an entity (a user or another application) makes about itself, it's just a claim. For example a claim list can have the user’s name, user’s e-mail, user’s age, user's authorization for an action. In role-based Security, a user presents the credentials directly to the application. In a claims-based model, the user presents the claims and not the credentials to the application. For a claim to have practical value, it must come from an entity the application trusts.

Below steps illustrate the sequence of that happens in a claims-based security model:

1. The user requests an action. The relying party (RP) application asks for a token.
2. The user presents the credentials to the issuing authority that the RP application trusts.
3. The issuing authority issues a signed token with claims, after authenticating the user’s credentials.
4. The user presents the token to the RP application. The application validates the token signature, extracts the claims, and based on the claims, either accepts or denies the request.

But, i still can't understand and find any information, when data addes to AspNetUserClaims and what situations this table using for?

When you are in a situation where a Role-Based Security is not used, and you chose to use Claim-Based Security, you would need to utilize AspNetUserClaims table. For how to use Claims in ASP.NET Identity, see below link for more information.

http://kevin-junghans.blogspot.com/2013/12/using-claims-in-aspnet-identity.html

Update

What time i have to use role-based security and when claim-based? Could you please write a few examples?

There isn't a very clear situation where you would or would not use Role-Based or Claim-Based Security, Not like a case where you would use A rather than B.

But, claim-Based access control allows better separation of authorization rules from the core business logic. When authorization rules change, the core business logic remain unaffected. There will be situations where you might prefer using Claim-Based approach.

Sometimes claims aren't needed. This is an important disclaimer. Companies with a host of internal applications can use Integrated Windows Authentication to achieve many of the benefits provided by claims. Active Directory does a great job of storing user identities, and because Kerberos is a part of Windows, your applications don't have to include much authentication logic. As long as every application you build can use Integrated Windows Authentication, you may have already reached your identity utopia. However, there are many reasons why you might need something other than Windows authentication. You might have web-facing applications that are used by people who don't have accounts in your Windows domain. Another reason might be that your company has merged with another company and you're having trouble authenticating across two Windows forests that don't (and may never) have a trust relationship. Perhaps you want to share identities with another company that has non-.NET Framework applications or you need to share identities between applications running on different platforms (for example, the Macintosh). These are just a few situations in which claims-based identity can be the right choice for you.

For more information, please visit http://msdn.microsoft.com/en-us/library/ff359101.aspx