ASP.NET requirements for ClaimTypes
I'm investigating using claims-based authorization in ASP.NET (MVC Core 1.0). When setting up a ClaimsIdentity, I supply a list of key/value string pairs to represent each Claim. Example:
List<Claim> claims = new List<Claim>
{
new Claim("UserID", user.ID),
new Claim("Name", user.Name),
new Claim("Role", "basic")
};
My understanding is that I can use whatever keys/values I want. But I noticed there are some pre-defined keys available via the ClaimsType class. So, I could potentially use some of these pre-defined keys instead:
List<Claim> claims = new List<Claim>
{
new Claim(ClaimTypes.Sid, user.ID),
new Claim(ClaimTypes.Name, user.Name),
new Claim(ClaimTypes.Role, "basic")
};
Questions:
If I use the pre-defined keys, are there any rules/restrictions regarding the actual values assigned to each key, or is it application defined? For example, is it OK to stick a database primary key in
ClaimTypes.Sid, or does ASP.NET have certain expectations of whatClaimTypes.Sidshould contain?Are there any
ClaimTypesthat are required, or is it completely up to the application to decide what to include or not include? I imagine the answer may depend on specific third-party authentication services I would interact with, but how about the simple case of a self-contained ASP.NET project that does not use any third-party authentication. Does ASP.NET itself have any requirements?
Any links to requirements and/or best practices regarding usage of specific key/values would be appreciated.
Answer
If I use the pre-defined keys, are there any rules/restrictions regarding the actual values assigned to each key, or is it application defined? For example, is it OK to stick a database primary key in ClaimTypes.Sid, or does ASP.NET have certain expectations of what ClaimTypes.Sid should contain?
Using one of the pre-defined ClaimTypes will also modify the Type property if your resulting Claim. You can find a list of these types here. As far as I know, you are free to put a database ID into a ClaimTypes.Sid, however I would strongly recommend using your own name that calls it what it is.
Are there any ClaimTypes that are required, or is it completely up to the application to decide what to include or not include? I imagine the answer may depend on specific third-party authentication services I would interact with, but how about the simple case of a self-contained ASP.NET project that does not use any third-party authentication. Does ASP.NET itself have any requirements?
Assuming no third-party, you get to decide what is and is not required. Keep in mind that if you are storing claims in a cookie (not a third-party source), your space is somewhat limited; cookies cannot be larger than 4096 bytes in total.
The best articles I have found so far for ASP.NET Core claims authentication are here and here. As of this posting, we are still in RC1, so some details may change prior to the final release.