Best IT Recipes

ASP.NET Identity Role and Claim Guidelines

I am completely new to using claims in ASP.NETIdentity and want to get an idea of ​​the best practices for using Roles and/or Claims .

After all this reading, I still have questions like ...

Q: We are no longer using roles?
Q: If so, why are roles still being offered?
Q: Should we use only claims?
Q: Should we use roles and claims together?

My initial thought was that we “should” use them together. I see claims as subcategories for the Roles that they support.

FOR EXAMPLE:
Role: Accounting
Claims: CanUpdateLedger, CanOnlyReadLedger, CanDeleteFromLedger

Q: Should they be mutually exclusive?
Question: Or is it better to turn to claims ONLY and "fully qualify" your claims?
Q: So what are the best methods here?

EXAMPLE: Using Roles and Claims Together
Of course you need to write your own attribute logic for this ...

 [Authorize(Roles="Accounting")] [ClaimAuthorize(Permission="CanUpdateLedger")] public ActionResult CreateAsset(Asset entity) { // Do stuff here return View(); }

EXAMPLE: Fully qualify your claims

 [ClaimAuthorize(Permission="Accounting.Ledger.CanUpdate")] public ActionResult CreateAsset(Asset entity) { // Do stuff here return View(); }
+84
asp.net-mvc claims-based-identity roles
Jun 21 '15 at 1:01
source share
4 answers

A role is a symbolic category that brings together users who have the same security privilege levels. For role-based authorization, you must first identify the user, then determine the roles to which the user is assigned, and finally compare these roles with roles that are allowed access to the resource.

On the contrary, a claim is the user's right to identify themselves. In other words, "I am allowed to do this because I have this requirement." In general, claims-based authorization includes role-based authorization. More precisely, membership in roles is determined on the basis of identity, and identification is just one type of right to claim value. Roles are essentially a very specific kind of requirement, that is, "Since my username is this, I am a member of this role. As I am a member of this role, I have access to this resource."

You can use both at a concert and use one type in some situations, and the other in other situations. It mainly depends on interaction with other systems and your management strategy. For example, it might be easier for a manager to manage a list of users assigned to a role than managing someone who has a specific complaint. Claims can be very useful in a RESTful scenario where you can assign a request to a client, and the client can submit an authorization request, rather than passing a username and password for each request.

+72
Jun 21 '15 at 1:20
source share

As @Claies perfectly explained, claims can be more descriptive and play an important role. I think of them as your roles. I have a gym, so I belong to the role of members. I am also in kickboxing lessons, so I have complaints about them; kickboxing id. My application will need to declare a new role in order to comply with my membership rights. Instead, I have identifiers for every special thing I can do in the gym; instead of many new types of membership. That's why claims suit me better.

There is an excellent video explaining Barry Dorrans about the benefits of using claims over roles. He also states that roles are still in .NET for backward compatibility. This video is very informative about how applications, roles, policies, authorization and authentication work.

You can find it here: ASP.NET Core Authorization with Barr Dorrans

+25
Jan 07 '17 at 7:41
source share

For decades, various authentication and authorization methods have been used, and the following methodology is used in my current MVC application.

Claims are used for all authorizations. Users are assigned one role (several roles are possible, but I do not need it) - more details below.

Typically, the ClaimsAuthorize attribute class is used. Since most of the controller actions are CRUD, I have a routine in the database generation with the first code that repeats all the controller actions and creates ticket types for each attribute of the Read / Edit / Create / Delete controller action. For example. of,

 [ClaimsAuthorize("SomeController", "Edit")] [HttpPost]

For use in MVC View, the base class of the controller represents the elements of the view package.

  protected override void OnActionExecuting(ActionExecutingContext filterContext) { // get user claims var user = filterContext.HttpContext.User as System.Security.Claims.ClaimsPrincipal; if (user != null) { // Get all user claims on this controller. In this controler base class, [this] still gets the descendant instance type, hence name List<Claim> claims = user.Claims.Where(c => c.Type == this.GetType().Name).ToList(); // set Viewbag with default authorisations on this controller ViewBag.ClaimRead = claims.Any(c => c.Value == "Read"); ViewBag.ClaimEdit = claims.Any(c => c.Value == "Edit"); ViewBag.ClaimCreate = claims.Any(c => c.Value == "Create"); ViewBag.ClaimDelete = claims.Any(c => c.Value == "Delete"); } base.OnActionExecuting(filterContext); }

For the website menu and other non-controller actions, I have other complaints. For example. whether the user can view a specific money field.

 bool UserHasSpecificClaim(string claimType, string claimValue) { // get user claims var user = this.HttpContext.User as System.Security.Claims.ClaimsPrincipal; if (user != null) { // Get the specific claim if any return user.Claims.Any(c => c.Type == claimType && c.Value == claimValue); } return false; } public bool UserHasTradePricesReadClaim { get { return UserHasSpecificClaim("TradePrices", "Read"); } }

So where do the roles fit in?

I have a table that associates a role with (by default) a set of requirements. When you configure user authorization by default, the user receives assertions about his role. Each user may have more or fewer claims than the default. To simplify editing, the list of claims is shown by the controller and actions (in a row), and then other claims are listed. Buttons are used with a small amount of Javascript to select a set of actions to minimize the “clicks” required to select statements. When saving applications, users are deleted, and all selected applications are added. The web application only downloads applications once, so any changes should cause this static data to reload.

Therefore, managers can choose which statements belong to each role and which statements the user has after setting the role and default statements. The system has a small number of users, so managing this data is simple

+7
Jun 06 '18 at 11:15
source share

In order to understand the difference between roles and claims, you have to face the limitation of roles and feel how claims arise because of these problems, so I gave you two scenarios for recognizing the strength of statements when a role cannot solve these problems:

1- your site should have two modules (pages, service .. etc.): The first module for a child (under 18 years old), the other for adults (over 18 years old) your person has a claim for a birthday

you need to create a policy for this application so that authorization for each module is provided for this value, and if the user is more than 18 years old, then he can switch to the module for adults, and not until that age

A role is a logical data type that you may or may not have a role; a role did not have malt values

2- your site has a user role, and you do not want to prevent users from accessing certain services without changing the code

in statements, you can create an UnderConstrain policy that, if the true user cannot view the page, gives the authorize property for the role user.

+1
Aug 08 '19 at 11:49 on
source share


More articles:


All Articles