14

Given a specific set of permissions, e.g. EditPage, CreateProject, ModifyUser, I am currently looking at two different ways of creating some custom claims types to model this behavior. I can find little information online about the best way to do this and hoping for some feedback on how you have done this in your own systems.

The first approach I've considered is to use an "action" claim type, with the specific action specified by the value of the claim:

var claims = new [] 
{
    new Claim("http://schemas.company.com/claims/project/action", "EditPage"),
    new Claim("http://schemas.company.com/claims/project/action", "CreateProject"),
    new Claim("http://schemas.company.com/claims/project/action", "ModifyUser")
}

The second approach is to use the claim type itself to define the action being performed, the value is not used. This is like a "PossessProperty" style of security where as long as the user has the claimtype, they can perform the action.

var claims = new [] 
{
    new Claim("http://schemas.company.com/claims/project/editpage", ""),
    new Claim("http://schemas.company.com/claims/project/createproject", ""),
    new Claim("http://schemas.company.com/claims/project/modifyuser", "")
}

Also note, in the claim types above I've included a "project" discriminator so that I can differentiate between a user who can edit a page in Project A but not Project B.

We're also planning on storing all of these custom claims in a central "Authorization" database, so the uniqueness is required.

Any thoughts or feedback would be greatly appreciated.

mikesigs
  • 10,491
  • 3
  • 33
  • 40

1 Answers1

12

Well - you haven't given more details about your intent - but if you plan to make these claims part of the identity of the user - this is clearly an anti-pattern.

Claims describe the identity of the user (which might include coarse grained authorization data like roles). To make finer grained authorization decisions, use something like the ClaimsAuthorizationManager in .NET.

In this extensibility point you make a informed decision based on

a) the identity of the user b) the resource the user is trying to access c) the operation the user is trying to do on the resource

So in other words - claims are the input to your authorization decisions, not the direct answer.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Thanks, I was hoping you were going to respond to this. I enjoyed your Pluralsight videos very much. I am in fact using the ClaimsAuthorizationManager, but have yet to start implementing the policies. The requirement is to have very fine grained security, so users are granted specific rights to perform specific actions, e.g. upload images, modify pages, etc. I was thinking the specific rights/actions/permissions would be modeled each as an individual claim. But you're saying that's an anti-pattern. So is this whole fine-grained security an anti-pattern? I'm even more confused now. – mikesigs Apr 08 '14 at 04:59
  • 1
    No not at all ;) Just don't make all this claims part of the ClaimsPrincipal. – leastprivilege Apr 08 '14 at 08:51
  • So the "action" claims are no longer claims then. They don't get stored with the ClaimsPrincipal during claims transformation. But rather, the Authorization Manager would have to check the specific permissions via some service call/db lookup? I was hoping to have a static set of Policies, but that won't work with this model. – mikesigs Apr 08 '14 at 15:01
  • 1
    Yea - you want to keep the claims set as small as possible. Having a huge list of "stuff" is hard to maintain as well. Rather use the authzmgr abstraction. – leastprivilege Apr 08 '14 at 16:38
  • Thanks @leastprivilege. We went back to the drawing board on this and decided to merge several of the actions into roles instead. Regarding the use of authzmgr, have you gone this route before? Do you think it would be reasonable to call the authzmgr from the ClaimsAuthorizationManager? That way you could mix Resource/Action checks against authzmgr coupled with the statically defined Policies. – mikesigs Apr 16 '14 at 14:48
  • 1
    With authzmgr I mean ClaimsAuthorizationManager. – leastprivilege Apr 16 '14 at 15:58
  • 1
    I thought you were referring to AzMan as a way to manage finer grained permissions. – mikesigs Apr 16 '14 at 16:11
  • What if we want to access claims in razor view. The only way is to store claims in principal. The question is still pertinent. I want to know a standard way to create custom claim types. – Maly Lemire Dec 01 '16 at 04:15
  • 1
    Even tho the answer was marked as accepted I think it would not be clear to the beginners. A working demo would be good tho. @mikesigs did you do any implementation of the discussion above? – Rahatur Dec 08 '16 at 10:38