All geek questions in one place

Is it possible to model complex claims (hierarchical / nested / etc.)?

Using Windows Identity Foundation (WIF) in tandem using the Security Token Service (STS), you can create complex applications that could satisfy a question such as:

For a user applying for the Support role, this user:

  • You can only view and use the resource1
  • CANNOT update, create or delete resource2
  • CANNOT create or delete resource3
  • You can use and update resources using the resource tag.

This is certainly a contrived example, but is it possible? I think I want to allow an authenticated user with basic claims, and then add the corresponding complex claims to the application (where these claims will be stored in the database and under the control of application users).

Thanks Richard

+1
source share
1 answer

You can definitely model it like this: they are just strings - all you can do is strings that you can do with statements;)

But it will definitely be an anti-pattern. The application describes a user identifier, which may include gross permission information. There is a fine line.

But for your use case, you prefer to implement your authorization policy in the ClaimsAuthorizationManager and use identification statements as input to “calculate” your small authorization decisions.

+1
source

Source: https://habr.com/ru/post/972419/

More articles:


All Articles