Building a Claims-Based Security Model
The identity model in WCF supports a rich, claims-based approach to authorization, but
so far in this chapter, you haven’t seen it in action. That’s because discussions so far
have centered on Windows, UserName, and Certificate credentials—each
of which rely on authentication and authorization features that have nothing to do with
claims. As I mentioned earlier, all credentials are ultimately mapped to a set of claims
when they are authenticated at the service. In this section, I’ll elaborate on this and
other important concepts related to building a claims-based security model,
including:
Security tokens and claims
Working with custom claims
Custom authorization policies
Claims-based authorization and related utilities
Security Tokens and Claims
Security tokens are abstractions of credentials that are passed in the security headers of a message and validated against the security policy. When security tokens are validated and processed at the service, claims representative of the token are placed into the security context for the operation being executed. Consider the following examples:
Windowscredential (Windows token) claims include the Windows identity and the groups to which it belongs.UserNamecredential (UserNametoken) claims include the username.Certificatecredential (X.509 token) claims include the subject key, thumbprint, public key blob, and other certificate properties.
Each claim describes an individual right or action applicable to ...
Get Learning WCF now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
