Best practices for creating custom claim types

StackOverflow https://stackoverflow.com/questions/22844034

Question

Given a specific set of permissions, e.g. EditPage, CreateProject, ModifyUser, I am currently looking at two different ways of creating some custom claims types to model this behavior. I can find little information online about the best way to do this and hoping for some feedback on how you have done this in your own systems.

The first approach I've considered is to use an "action" claim type, with the specific action specified by the value of the claim:

var claims = new [] 
{
    new Claim("http://schemas.company.com/claims/project/action", "EditPage"),
    new Claim("http://schemas.company.com/claims/project/action", "CreateProject"),
    new Claim("http://schemas.company.com/claims/project/action", "ModifyUser")
}

The second approach is to use the claim type itself to define the action being performed, the value is not used. This is like a "PossessProperty" style of security where as long as the user has the claimtype, they can perform the action.

var claims = new [] 
{
    new Claim("http://schemas.company.com/claims/project/editpage", ""),
    new Claim("http://schemas.company.com/claims/project/createproject", ""),
    new Claim("http://schemas.company.com/claims/project/modifyuser", "")
}

Also note, in the claim types above I've included a "project" discriminator so that I can differentiate between a user who can edit a page in Project A but not Project B.

We're also planning on storing all of these custom claims in a central "Authorization" database, so the uniqueness is required.

Any thoughts or feedback would be greatly appreciated.

Was it helpful?

Solution

Well - you haven't given more details about your intent - but if you plan to make these claims part of the identity of the user - this is clearly an anti-pattern.

Claims describe the identity of the user (which might include coarse grained authorization data like roles). To make finer grained authorization decisions, use something like the ClaimsAuthorizationManager in .NET.

In this extensibility point you make a informed decision based on

a) the identity of the user b) the resource the user is trying to access c) the operation the user is trying to do on the resource

So in other words - claims are the input to your authorization decisions, not the direct answer.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top