Skip to main content

Claims Class For security in .NET4.5 with C#

What is Claim ?

A claim in the world of authentication and authorization can be defined as a statement about an entity, typically a user. A claim can be very fine grained:

  • Ram is an admin
  • Ram’s email address is Ram@yahoo.com
  • Ram lives in Mumbai
  • Tom’s allowed to view sales figures between 2009 and 2012
  • Tom’s allowed to wipe out the universe
Claims originate from a trusted entity other than the one that is being described. This means that it is not enough that Tom says that he is an administrator. If your company’s intranet runs on Windows then Tom will most likely figure in Active Directory/Email server/Sales authorisation system and it will be these systems that will hold these claims about Tom. The idea is that if a trusted entity such as AD tells us things about Tom then we believe them a lot more than if Tom himself comes with the same claims. This external trusted entity is called an Issuer. The KEY in the key-value pairs is called a Type and the VALUE in the key-value pair is called the Value

. Example:
  • Type: role
  • Value: marketing
  • Issuer: Active Directory


An advantage of claims is that they can be handled by disparate authentication systems which can have different implementations of claims: groups, roles, permissions, capabilities etc. If two such systems need to communicate through authorisation data then Claims will be a good common ground to start with.

How do we attach these claims to the Principals?

A Claim is represented in .NET4.5 by an object called… …Claim! It is found in the System.Security.Claims namespace.
There is a new implementation of the well-known IIdentity interface called ClaimsIdentity. This implementation holds an IEnumerable of Claim objects. This means that this type of identity is described by an arbitrary number of statements.
Not surprisingly we also have a new implementation of IPrincipal called ClaimsPrincipal which holds a read-only collection of ClaimsIdentity objects. Normally this collection of identities will only hold one ClaimsIdentity element. In some special scenarios with disparate systems a user can have different types of identities if they can identify themselves in multiple ways. The ClaimsPrincipal implementation accommodates this eventuality.
The advantage with having these new objects deriving from IPrincipal and IIdentity is compatibility. You can start introducing Claims in your project where you work with IPrincipals and IIdentities without breaking your code.

example :
1
2
3
4
static void Main(string[] args)
        {
            Claim claim = new Claim("Name", "ram");
        }

You can use strings to describe types as above but we all know the disadvantages with such hard-coded strings. There is an enumeration called ClaimTypes that stores the most common claim types.
static void Main(string[] args)
        {
            Claim claim = new Claim("Name", "ram");
            Claim newClaim = new Claim(ClaimTypes.Country, "Mumbai");
        }

You can check out the values available in ClaimTypes using IntelliSense. It is safer to use the enumeration where-ever possible rather than the straight string values as chances are the system you’re trying to communicate Claims with will also understand the values behind the enumerated one. If you don’t find any suitable one there you can revert back to string-based Types and even define a formal namespace to the claim as follows:
Place the cursor on “Country” in ‘new Claim(ClaimTypes.Country, “Sweden”);’ and press F12. You’ll see a long list of namespaces, such as the following:
These namespaces will uniquely describe the claim type.
It is very rare that there’s only one claim about a person. Instead, claims come in collections, so let’s create one:
1
2
3
4
5
6
7
8
9
10
11
12
static void Main(string[] args)
        {
            IList<Claim> claimCollection = new List<Claim>
            {
                new Claim(ClaimTypes.Name, "Ram")
                , new Claim(ClaimTypes.Country, "mumbai")
                , new Claim(ClaimTypes.Gender, "M")
                , new Claim(ClaimTypes.Surname, "sharma")
                , new Claim(ClaimTypes.Email, "hello@me.com")
                , new Claim(ClaimTypes.Role, "IT")
            };
        }
We can easily build an object of type IIDentity out of a collection of claims, in this case a ClaimsIdentity as mentioned above:
1
ClaimsIdentity claimsIdentity = new ClaimsIdentity(claimCollection);
We now test if this identity is authenticated or not:
1
Console.WriteLine(claimsIdentity.IsAuthenticated);
Run the Console app and test for yourself; IsAuthenticated will return false. Claims can be attached to anonymous users which is different from the standard principal types in .NET4 and earlier. It used to be enough for the user to have a name for them to be authenticated. With Claims that is not enough. Why would you attach claims to an unauthenticated user? It is possible that you gather information about a user on your site which will be used to save their preferences when they are turned into members of your site.
If you want to turn this IIdentity into an authenticated one you need to provide the authentication type which is a string descriptor:
1
ClaimsIdentity claimsIdentity = new ClaimsIdentity(claimCollection, "My e-commerce website");
Run the application again and you’ll see that the user is now authenticated.
Using our identity object we can also create an IPrincipal:
1
ClaimsPrincipal principal = new ClaimsPrincipal(claimsIdentity);
As ClaimsPrincipal implements IPrincipal we can assign the ClaimsPrincipal to the current Thread as the current principal:
1
Thread.CurrentPrincipal = principal;
From this point on the principal is available on the current thread in the rest of the application.
Create a new method called Setup() and copy over all our code as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
static void Main(string[] args)
        {
            Setup();
 
            Console.ReadLine();
        }
 
        private static void Setup()
        {
            IList<Claim> claimCollection = new List<Claim>
            {
                new Claim(ClaimTypes.Name, "Ram")
                , new Claim(ClaimTypes.Country, "Mumbai")
                , new Claim(ClaimTypes.Gender, "M")
                , new Claim(ClaimTypes.Surname, "Sharma")
                , new Claim(ClaimTypes.Email, "hello@me.com")
                , new Claim(ClaimTypes.Role, "IT")
            };
 
            ClaimsIdentity claimsIdentity = new ClaimsIdentity(claimCollection, "My e-commerce website");
 
            Console.WriteLine(claimsIdentity.IsAuthenticated);
 
            ClaimsPrincipal principal = new ClaimsPrincipal(claimsIdentity);
            Thread.CurrentPrincipal = principal;
        }
Let’s see if the new Claims-related objects can be used in .NET4 where Claims are not available. Create a new method as follows:
1
2
3
4
private static void CheckCompatibility()
        {
 
        }
Call this method from Main as follows:
1
2
3
4
5
6
7
static void Main(string[] args)
        {
            Setup();
            CheckCompatibility();
 
            Console.ReadLine();
        }
Add the following to the CheckCompatibility method:
1
2
IPrincipal currentPrincipal = Thread.CurrentPrincipal;
Console.WriteLine(currentPrincipal.Identity.Name);
Run the application and the name you entered in the claims collection will be shown on the output window. The call for the Name property will look through the claims in the ClaimsIdentity object and extracts the value of Name claim type.
In some cases it is not straightforward what a ‘Name’ type means. Is it the unique identifier of the user? Is it the email address? Or is it the display name? You can easily specify how a claim type is defined. You can pass two extra values to the ClaimsIdentity constructor: which claim type constitutes the ‘Name’ and the ‘Role’ claim types. So if you want the email address to be the ‘Name’ claim type you would do as follows:
1
ClaimsIdentity claimsIdentity = new ClaimsIdentity(claimCollection, "My e-commerce website", ClaimTypes.Email, ClaimTypes.Role);
Run the application and you will see that the email is returned as the name from the claim collection.
You can check if a user is in a specific role as before:
1
2
3
4
5
6
private static void CheckCompatibility()
        {
            IPrincipal currentPrincipal = Thread.CurrentPrincipal;
            Console.WriteLine(currentPrincipal.Identity.Name);
            Console.WriteLine(currentPrincipal.IsInRole("IT"));
        }
…which will yield true.
So we now know that ‘old’ authentication code will still be able to handle the Claims implementation. We’ll now turn to ‘new’ code. Create a new method called CheckNewClaimsUsage() and call it from Main just after CheckCompatibility().
The following will retrieve the current claims principal from the current thread:
1
2
3
4
private static void CheckNewClaimsUsage()
        {
            ClaimsPrincipal currentClaimsPrincipal = Thread.CurrentPrincipal as ClaimsPrincipal;
        }
Now you’ll have access to all the extra methods and properties built into ClaimsPrincipal. You can enumerate through the claims collection in the principal object, find a specific claim using Linq etc. Example:
1
2
3
4
5
6
private static void CheckNewClaimsUsage()
        {
            ClaimsPrincipal currentClaimsPrincipal = Thread.CurrentPrincipal as ClaimsPrincipal;
            Claim nameClaim = currentClaimsPrincipal.FindFirst(ClaimTypes.Name);
            Console.WriteLine(nameClaim.Value);
        }
You can use .HasClaim to check if the claims collection includes a specific claim you’re looking for.
You can also query the identities of the ClaimsPrincipal:
1
2
3
4
foreach (ClaimsIdentity ci in currentClaimsPrincipal.Identities)
            {
                Console.WriteLine(ci.Name);
            }
The line…
1
ClaimsPrincipal currentClaimsPrincipal = Thread.CurrentPrincipal as ClaimsPrincipal;
…becomes so common that there’s a built-in way to achieve the same thing:
1
ClaimsPrincipal currentClaimsPrincipal = ClaimsPrincipal.Current;
This will throw an exception if the concrete IPrincipal type is not ClaimsPrincipal for whatever reason.
We have looked at the very basics of Claims in .NET4.5. The next post will look at the new IIdentity and IPrincipal inheritance model.

Comments

Post a Comment

Popular posts from this blog

Design Patterns

                                                      Design pattern 1. Factory Design Pattern  In Factory pattern, we create object without exposing the creation logic to the client and refer to newly created object using a common interface. Step 1 Create an interface IShape.cs public interface I Shape { void draw (); } Step 2 Create concrete classes implementing the same interface. Rectangle.cs public class Rectangle : I Shape { @Override public void draw () { C onsole.WriteLine ( "Inside Rectangle::draw() method." ); } } Square.cs public class Square : I Shape { @Override public void draw () { C onsole.WriteLine ( "Inside Square::draw() method." ); } } Circle.cs public class Circle : I Shape { @Override public void draw () ...

Paytm integration

How to integrate Paytm to asp.net site   You will need to create an Checksum on your server. Kindly refer the dll file for the attachment.  Usage of CheckSum API: ·         Add provided “paytm.dll” as a “Reference” in your project. ·         Import namespace “paytm” in your Class with statement “using paytm”. ·         Now Generate CheckSum API as well as Verify CheckSum API are available as follows: o   String CheckSum.generateCheckSum(String masterKey, Dictionary<String, String> parameters) o   Boolean CheckSum.verifyCheckSum(String masterKey, Dictionary<String, String> parameters, StringcheckSum) ·         For Generating CheckSum, use following snippet code: String masterKey = “merchantKey” ; Dictionary<String, String> parameters = new Dictionary<string, string>(); p...