ASP.NET Identity: Why User Properties AND Claims?

12
votes

I'm truly lost in trying to understand ASP.NET Identity 2.1.0 right now, and need to go back over the basics, in order to better understand how the cookies and claims work.

A basic query is around my not being sure I understand why a User needs properties as well as Claims: isn't a Claim just a key+value+authority, and therefore could have been used for storing the Properties(a key+value)? * What's the benefit of keeping two sets of properties (other than Typed get/sets on the Properties)? Is one intended to be more transient than the other? * Is it only to distinguish between what gets serialized and round tripped in the Cookie (only the claims, right?)? * Talking about that...just checking: it is all Claims that are round tripped by being serialized in the cookie, or is it only a subset of them (such as ClaimTypes.Roles)?

Thanks for the help!

1
asp.net-identityasp.net-identity-2

1 Answers

10
votes

All claims on user are serialised into cookie. Not all ApplicationUser properties are serialised as claims. In fact, most of properties are not serialised into claims (unless specifically coded for).

You confusing 2 concepts: Claims are part of ClaimsPrincipal : IPrincipal that is available on every HTTP request (if user is authenticated). ClaimsPrincipal is created from ApplicationUser when user is signed in and serialised into cookie.

ApplicationUser model is a way to persist user information into database and additional properties are just additional fields for user table in your DB. You can code to have these properties become available in your cookie through adding claims, but they don't become claims automatically for you.

Adding extra information can be achieved through adding a claim or through additional property in ApplicationUser table. You are in control how to add the data. But bear in mind that these can serve different purposes. If you add a property on ApplicationUser, you are saying that all users should have something for that. If you add a claim with the same data, you are saying that this user has some data that other users may not have.

To answer your last question: all claims are serialised and round-tripped in the cookie. So don't put too much information into the cookie - these can add up and you'll be round-tripping too much data.