基于声明的认证方式,其最大特性是可传递(一方面是由授信的Issuer,即claims持有方,发送到你的应用上,注意信任是单向的。例如QQ集成登录,登录成功后,QQ会向你的应用发送claims。另一方面可在Issuer之间传递,例如A公司的AD和B公司的AD之间传递),主要用于第三方认证和单点登陆(For claims-based applications,single sign-on for the web is sometimes called passive federation).
A claim is a statement that one subject makes about itself or another subject. The statement can be about a name, identity, key, group, privilege, or capability, for example. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (STS).
Claim is piece of information that describes given identity on some aspect. Take claim as name-value pair. Claims are held in authentication token that may have also signature so you can be sure that token is not tampered on its way from remote machine to your system. You can think of token as envelop that contains claims about user.
Token may contain different claims:
- username or user ID in remote system,
- full name of user,
- e-mail address,
- membership in security groups,
- phone number,
- color of eyes.
System can use claims to identify and describe given user from more than one aspect. This is something you don’t achieve easily with regular username-password based authentication mechanisms.
security token传递方式:
Security tokens that are passed over the Internet typically take one of two forms:
- Security Assertion Markup Language (SAML) tokens are XML-encoded structures that are embedded inside other structures such as HTTP form posts and SOAP messages.
- Simple Web Token (SWT) tokens that are stored in the HTTP headers of a request or response.
The tokens are encrypted and can be stored on the client as cookies.
Claims Based Authentication
Claims are a set of information stored in a key – value pair form. Claims are used to store information about user like full name, phone number, email address.... and the most important thing is that you can use claims as a replacement of roles, that you can transfer the roles to be a claim for a user.
The most important benefit from claims is that you can let a third party authenticate users, and the third party will retrieve to you if this user is authenticated or not and also what claims are for this user.
Token Based Authentication
Token store a set of data in (local/session storage or cookies), these could be stored in server or client side, the token itself is represented in hash of the cookie or session.
In token based authentication, when a request comes, it should have the token with it, the server first will authenticate the attached token with the request, then it will search for the associated cookie for it and bring the information needed from that cookie.
An Introduction to Claims
https://msdn.microsoft.com/zh-cn/library/ff359101.aspx
Claims-Based Architectures
https://msdn.microsoft.com/en-us/library/ff359108.aspx
WIF(Windows Identity Foundation) 4.5 是一组用于在您的应用程序中实施基于声明的标识的 .NET Framework 类)
包含以下程序集:
mscorlib (mscorlib.dll),
System.IdentityModel(System.IdentityModel.dll),
System.IdentityModel.Services (System.IdentityModel.Services.dll),
System.ServiceModel(System.ServiceModel.dll)
注意从4.5开始,System.IdentityModel.Claims, System.IdentityModel.Policy, and System.IdentityModel.Selectors 将被抛弃