What is the idea behind IIdentity and IPrincipal in .NET

Aloraman picture Aloraman · Nov 24, 2014 · Viewed 24.2k times · Source

So, what is the purpose for existence of both IIdentity and IPrincipal, and not some IIdentityMergedWithPrincipal? When is it not enough to implement both in same class?

Also, to understand purpose, I'd like to know where this concept comes from:

  • It is originated in .Net
  • There is concept of Identity/Principal as design pattern, which System.Security.Principal implemented in those interfaces
  • It is originated somewhere else and supported for compatibility

Therefore, does UserPrincipal from System.DirectoryServices act similarly to IPrincipal but not implement it by accident or by intention?

P.S. I'm looking for reasoning behind idea, not benefits/controversies comparison, so please try not to start opinion-based discussion

Answer

Mark Cidade picture Mark Cidade · Nov 24, 2014

IIdentity is just used for the user's authenticated identity, regardless of what roles they may have.

IPrincipal is used to combine a user's identity with the authorized roles they have in a given security context.

For example, you can use a third-party login provider, like Facebook or Google, to get the user's identity, but you will not get a principal from those providers, as they don't provide any roles. You can use your own application or a third-party role-based authorization provider to apply roles to, say, a FacebookIdentity or GoogleIdentity. A different application can expect a different principal, with its own roles, but still use the same identity as in another application.