Is It Possible to Model Complex Claims (hierarchical / nested / etc)?

StackOverflow https://stackoverflow.com/questions/22317492

Question

Using Windows Identity Foundation (WIF) in tandem with a Security Token Service (STS), is it possible to create complex claims that could satisfy a question such as:

For a user with a claim to a role "Support", that user:

  • Can only view and use resource1
  • CAN NOT update, create, or delete resource2
  • CAN NOT create, or delete resource3
  • Can only use and update resources with a "resource" tag.

It's a necessarily contrived example but is this possible? I'm thinking I want to authorize the authenticated user with basic claims and then add the relevant complex claims in the application (where those claims will be stored in a database and under control of application users).

Thanks, Richard

Was it helpful?

Solution

You can definitely model it like that - they are just strings - whatever you can do to strings you can do to claims ;)

But it would be definitely an anti-pattern. Claims describe the identity of a user - which might include coarse grained authorization information. There's a fine line here.

But for your use case you would rather implement your authorization policy in a ClaimsAuthorizationManager and use the identity claims as input to "calculate" your fine grained authorization decisions.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top