Having implemented Google OAuth2 via OWIN, I have a question about Claims in general.
We need a ton of Claims, in order to set up Claims-Based Authorization. Note that this is NOT about Claims-based Authentication. Google only supplies a few Claims, like email, name, etc.
We need a lot more Claims, so that we can control access to resources (Authorization). Having read Microsoft's documentation, and an associated e-book they have published, they say this:
Because claims involve an explicit trust relationship with an issuer, your application believes a claim about the current user only if it trusts the entity that issued the claim. See here: An Introduction To Claims
My inclination was to add custom Claims to the AspNetUserClaims table. In fact, I have done this, and associated the Claims to the AspNetUser created by the integration with Google. However, this feels tantamount to a forgery at this point, because Google has not issued these Claims, our enterprise has. It seems that the spirit of the Claims concept is to "trust the issuer". Which entity is regarded as the issuer of the Claim? Is this hybrid approach, adding Claims to Identities authenticated via external issuers, an accepted approach? I can't see how else to extend the limited information provided by Google (which works great for Identity), other than manually adding Claims from within our own enterprise to these externally-authenticated users.
Incidentally, every Claim found in ClaimsPrincipal.Current.Claims shows the Issuer and OriginalIssuer as "LOCAL AUTHORITY"...nothing about Google.
