Given a specific set of permissions, e.g. EditPage, CreateProject, ModifyUser, I am currently looking at two different ways of creating some custom claims types to model this behavior. I can find little information online about the best way to do this and hoping for some feedback on how you have done this in your own systems.
The first approach I've considered is to use an "action" claim type, with the specific action specified by the value of the claim:
var claims = new []
{
new Claim("http://schemas.company.com/claims/project/action", "EditPage"),
new Claim("http://schemas.company.com/claims/project/action", "CreateProject"),
new Claim("http://schemas.company.com/claims/project/action", "ModifyUser")
}
The second approach is to use the claim type itself to define the action being performed, the value is not used. This is like a "PossessProperty" style of security where as long as the user has the claimtype, they can perform the action.
var claims = new []
{
new Claim("http://schemas.company.com/claims/project/editpage", ""),
new Claim("http://schemas.company.com/claims/project/createproject", ""),
new Claim("http://schemas.company.com/claims/project/modifyuser", "")
}
Also note, in the claim types above I've included a "project" discriminator so that I can differentiate between a user who can edit a page in Project A but not Project B.
We're also planning on storing all of these custom claims in a central "Authorization" database, so the uniqueness is required.
Any thoughts or feedback would be greatly appreciated.