4

I just don't still get Claim Based Authentication/Authorization workflow.

Application allows authentication via Facebook.com

After the user is authenticated, an admin can give her/him a claim of having the role of Manager, which create another claim (where?)

Of course, this claim won't be on facebook.com server, question 1: where should that claim be stored ?

When the user login again later, I get the claim of facebook.com and the i should get the claim from application ? and merge them ?

How is the workflow. Trying to understand claims in practical usage.

Basically, facebook tell me that i'm john@doe.com and 'field in the blanks' adds a claim that I'm also a manager of domain.com

then I pass those claims to domain.com ?

How should I configure in asp.net the application at domain.com to trust facebook and 'filled in the blank piece' and request claims form both ?

I guess I'm using external providers for Authentication and my own provider for Authorization, how this is created on ASP.NET (web api / mvc) ?

UPDATE (for clarification)

Let's get backwards. I create a web application where users can register. 'Somehow' there's an trusted ClaimsBased authority somewhere (this should be another application??) where I request the claims for a particular user to see if have particular rights on my application.

So I imagine something like :

/authserver/claims

and my validation checks if X claim is met to do certain operation.

later I add facebook. now I have

/facebook/claims

which tells me the user is X and

/authserver/claims to see if can do operation X on resource Y.

how this is managed on ASP.NET ? and where my own claims should be created/exposed/developed ?

I think I'm missing something fundamental here.

Bart Calixto
  • 18,646
  • 11
  • 75
  • 112
  • Have you looked at [Create an ASP.NET MVC 5 App with Facebook and Google OAuth2 and OpenID Sign-on (C#)](http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on)? *This tutorial shows you how to build an ASP.NET MVC 5 web application that enables users to log in using OAuth 2.0 or OpenID with credentials from an external authentication provider, such as Facebook, Twitter, Microsoft, or Google. For simplicity, this tutorial focuses on working with credentials from Facebook and Google.* – Erik Philips Feb 04 '14 at 21:54
  • @ErikPhilips yes, I already implemented that. I can register a user with facebook, great. Now I want to add claims to so that user is and admin and can edit a product. Where that data should be stored? and how to use more than one trusted authority (facebook and my own?) on my application. I'll edit the question and try to improve it. – Bart Calixto Feb 04 '14 at 22:23

2 Answers2

1

I think the important thing to understand is the difference between authentication and authorization.

Authentication - the act of confirming the truth of an attribute of a datum or entity.

Authorization - the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular.

So, typically for secured system, the workflow starts with Authentication. When a user first connects/uses a system, then are not authenticated (lets say this user is of a type/group Anonymous). The act of the system determining the user is not authenticated is an Authentication in and of it self. Based on being Anonymous, then the act of the system determining what that type of user anonymous has access too is now authorizing what the user can do. For very secure system, the only access anonymous has is to the login screen/page. Once logged in the user is assigned a unique identity and assigned some type of group policy/role (if not already created). with a web-based application and having a website (#1) authenticate for another website(#2) it becomes a bit more complicated. When I log into StackOverflow(#1), I use my Gmail(#2) account. I get redirected to Google with some special way for Google to know that the page I came from/to go back to. This could be a special key/url combination or for less restrictive access, usually has to do with return url (after I say, yes, where I go back too). Google will create a special authentication token that is specific to the url I am returning to. It is tied to the URL because that means that my token on StackOverflow won't allow me or anyone else to log into say NewEgg for example (in other words someone at StackOverflow with access to the database can't use my token to authenticate as me on some other website, but technically they could log in as me on StackOverflow, but they own the website, so that doesn't really matter). Now I am authenticated on StackOverflow (but technically StackOverflow doesn't even need to know any information about me, just my Token).

On StackOverflow as a new user, a new account is created. This account probably has a one to many relationship to my unique account on Stack Overflow and multiple of logins (and type of logins, OAuth, OpenID or SO Login). Once the account is created, I have whatever access they have setup by default. If I need more or some trigger (lets say based on my Reputation points :) I now have access to Administrative functionality (given some role). That role is tied to my account and indirectly tied to my authentication. This means that I can create additional logins (say a Local SO Login) but keep my Account.

As for each Authentication resource (Google, Facebook, etc) there will be difference schemes for Authentication, but there will always be at least a token (or more than one token) for a website to say who I am (in a generic way).

So website #1 (Stack Overflow) has requested website #2 (Google) to Authenticate me. But only website #1 knows what am I Authorized for.

For role specific functionality, there are a good number of answer on SO dealing with ASP.Net Identity and the Role Manager:

Creating Roles in Asp.net Identity MVC 5

mvc 5 check user role

A much more Indepth look into Identity with MVC - Extending Identity Accounts and Implementing Role-Based Authentication in ASP.NET MVC 5

Community
  • 1
  • 1
Erik Philips
  • 51,408
  • 11
  • 123
  • 146
  • Great explanation. Can you extend a little asking: What if SO request facebook the like status of facebook.com/so page to allow certain functions ? Should I store the claim in my datastore and update as user logs in ? (I'm mixing authentication and authorization here on purpose) – Bart Calixto Feb 05 '14 at 00:44
  • Yes you can store the tokens in the DB. If you do I would highly recommend encrypting them. You don't want someone to get a hold of your database, then be able to login as anyone with a plaintext token. – Erik Philips Feb 05 '14 at 02:52
0

If you're using ASPNET.Identity (http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity), you can add a Role claim type to the user. It'll be associated with the userlogin, so when the user authenticates with Facebook, these user claims will be added and available in MVC.

See the following code fragment:

var acRes = await UserManager.AddClaimAsync(userId, new Claim(ClaimTypes.Role, "MyRole"));
Brendan Green
  • 11,241
  • 5
  • 41
  • 71
  • So when I get external claims I always set/save them up in my own claims datastore and always ask for claims there, right? And should be updated on every login? – Bart Calixto Feb 05 '14 at 00:40
  • No - the process of authentication via Facebook will result in an identity that has the Facebook claims. the code above stores an additional claim type specific to the application. Ultimately the claims are all accessible via the identity. – Brendan Green Feb 05 '14 at 01:21
  • 1
    When I use the code you provided, (user logged in via facebook) the claim is stored ? where ? I have a user id, with collection of token from different providers all pointing to same user id, that user id also has claims from my own application. When he logs in again with my application user/password. How do I get the facebook claims ? – Bart Calixto Feb 05 '14 at 14:20