0

I'm ASP.NET MVC programmer and have researched to adopt Claim-based authentication to my project.

It seems that claim-based authentication try to give various kind of information along with token, but I would like to ask its usage scope.

As we can see ClaimTypes [MSDN], claim can have a role, privacy-related information (surname, province, mobilephone), or computer-friendly information (CookiePath), etc.

They are all stored in Type-Value list in database(AspNetUserClaims) simply. It's a mixture of information scope I think. Is there any reason to be designed in this way? Or, isn't it dangerous to put privacy information in claims? (I know that 'DO NOT use if you feel dangerous', but design can lead its usage.)

Youngjae
  • 24,352
  • 18
  • 113
  • 198

1 Answers1

0

Claims has nothing to do with privacy, if the information is already stored at the server side then privacy issues possibly occur even if you don't use claims.

Claims are used to authorize incoming requests. Think of a claim set like your id card or a passport.

First, the issuer takes time to carefully authenticate you and issue the document (id, passport, claim set). Then, other involved parties could just rely on these information without the further need to reauthenticate users. Thus, if my id card says I am 40 years old and the relying party trusts the issuer of my id card, then the relying party assumes I am 40 years old.

This also means that when your application issues claims to be stored in a cookie to establish a session, you don't really need all the information there, including the number of the mobile phone, size of the shoe or the last date of speeding ticket.

Rather, you issue only these claims that are futher needed for some kind of authorization. Need the email address somewhere? Put it in claims. Don't need the provice? Exclude it.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106