基于声明的身份验证:字符串是声明的本质吗?

发布于 2024-09-04 08:15:06 字数 309 浏览 7 评论 0原文

我已经使用Windows Identity Foundation进行基于声明的身份验证编程已有一段时间了。

在我看来,在Windows Identity Foundation中,一旦用户登录,声明基本上就是描述用户的信息字符串。

使用旧的基于角色的身份验证,我可以说用户是或不是给定组的成员,但使用基于声明的身份验证,我现在可以拥有描述用户的信息字符串。 “该用户是女性”。该用户出生于“1975年7月6日”。 “该用户使用 USB 密钥登录”。

这是基于声明的身份验证的本质吗?我有框架向应用程序提供的有关用户的信息字符串吗?

I've been programming with claims-based authentication for some time now with Windows Identity Foundation.

It appears to me that in Windows Identity Foundation, once a user is logged in, the claims are basically strings of information that describe the user.

With the old role-based authentication, I could say that a user is or is not a member of a given group, but with claims-based authentication, I can now have strings of information that describe a user. "This user is female". This user was born on "July 6, 1975". "This user logged in using a USB key".

Is it the essence of claims-based authentication,that I have strings of information about the user given to the application by the framework?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

≈。彩虹 2024-09-11 08:15:06

声明是有关与应用程序交互的主题的属性,可以是任何东西。您给出的所有例子基本上都是正确的。

这就是为什么您不仅可以将声明用于驾驶授权规则。例如,它们还可以代表用户个人资料信息。角色成员资格只是另一个属性(主要用于访问控制)。

几点观察:

  • 一个微妙但非常重要的区别是声明是由受信任的权威实体(STS)发出的。主张的起源与主张本身一样重要。举个简单的例子:如果我向您发送一个由 Microsoft 的 STS 颁发的令牌,并声明“Title=Program Manager”,您可能会高度确定我是为 Microsoft 工作的 PM。换句话说,您获得的属性的保真度与您对发行人的信任程度之间存在相关性。
  • 在 WIF 声明中,值被实现为“字符串”(如在 .NET 类型中),但它们可以是任何(可序列化)对象。对于角色、组、名称等简单的事情,您只需使用该值即可。对于其他更复杂的类型,您将需要某种反序列化。

Claims are attributes about the subject interacting with your application, and can be anything. All the examples you gave are essentially correct.

That's why you can use claims for more than just driving authorization rules. They could also represent user profile information for example. And a role membership is just another attribute (that is mostly used for access control).

Couple observations:

  • One subtle, but very important difference is that claims are issued by a trusted, authoritative entity (the STS). The origin of a claim is as important as the claim itself. To use a simple example: if I send you a token issued by Microsoft's STS with a claim "Title=Program Manager", you would probably have high certainty that I am a PM working for Microsoft. In other words, there's a correlation between the fidelity of the attributes you get and the level of trust you put on the issuer.
  • In WIF claims values are implemented as "strings" (as in a .NET type), but they could be any (serializable) object. For simple things like roles, groups, names, etc. you just use the value. For other more complex types you will need some kind of deserialization.
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文