What's the role of the ClaimsPrincipal, why does it have multiple Identities?

Dan picture Dan · Sep 15, 2015 · Viewed 14.5k times · Source

I am trying to understand the security model behind .NET based on claims for the application (Relying Party).

I know there are 2 major classes:

  • ClaimsPrincipal - security context for the running process
  • ClaimsIdentity - stores information about the user - authentication status and claims

The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.

To me, the ClaimsPrincipal, other than using it to get the current identity, excuse my ignorance, it's useless.

What am I missing other than what I stated and let's say backwards compatiblity in regard to the ClaimsPrincipal class?

Answer

Ali Reza Dehdar picture Ali Reza Dehdar · Apr 1, 2018

The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.

This is a wrong assumption. In fact the ClaimsPrincipal in context will always have more than 1 identity if your application requires n factor authentication (n > 1).

Try looking at it this way.

Principal = User

Identity = Driver's License, Passport, Credit Card, Google Account, Facebook Account, RSA SecurID, Finger print, Facial recognition, etc.

If you're pulled over by the police, they don't verify you're who you claim to be, based on your driver's license alone. They also need to see your face. Otherwise you could show anyones driver's license.

Hence it makes sense, why authentication can and sometimes should be based on multiple identities. That's why 1 ClaimsPrincipal can have any number of ClaimsIdentity.