What's the role of the ClaimsPrincipal, why does it have multiple Identities?
I am trying to understand the security model behind .NET based on claims for the application (Relying Party).
I know there are 2 major classes:
- ClaimsPrincipal - security context for the running process
- ClaimsIdentity - stores information about the user - authentication status and claims
The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.
To me, the ClaimsPrincipal, other than using it to get the current identity, excuse my ignorance, it's useless.
What am I missing other than what I stated and let's say backwards compatiblity in regard to the ClaimsPrincipal class?
Answer
The thing is, ClaimsPrincipal contains just a collection of identities and points to the currently used one but as far as I know, the principal usually never contains more than 1 identity and even if it would - the user is never logged in with 2 or more identities.
This is a wrong assumption. In fact the ClaimsPrincipal in context will always have more than 1 identity if your application requires n factor authentication (n > 1).
Try looking at it this way.
Principal = User
Identity = Driver's License, Passport, Credit Card, Google Account, Facebook Account, RSA SecurID, Finger print, Facial recognition, etc.
If you're pulled over by the police, they don't verify you're who you claim to be, based on your driver's license alone. They also need to see your face. Otherwise you could show anyones driver's license.
Hence it makes sense, why authentication can and sometimes should be based on multiple identities. That's why 1 ClaimsPrincipal can have any number of ClaimsIdentity.