Is there a fundamental difference between claims authorization and roles authorization?

4
votes

VS2013, MVC5

I may get some terminology wrong because I'm new to this topic.

What I've read has led me to conclude that claims can be used for authentication and authorization which are 2 very different concepts. Assuming this thinking is correct, my question relates to claims as they might apply to authorization, not authentication (or identity? - is it accurate to consider identity as a substitute concept for authentication?)

The Wikipedia article seemed as concise as anything else I read saying (1st line last section) the difference between claims and roles is a:

distinction between what the user is/is not and what the user may/may not do

If I use claims to determine what a user may or may not do, I don't see how that is different than what roles do. This article kind of implies it's different, but the example seems the same to me with the claims example merely a better role definition, yes?

This article suggests there's little difference but the explanation seems to suggest an absolutely fundamental difference because it begins to employ a value in the claim. But unless the value allows the claim to composite roles into a single claim, it's still just a role, yes? And if you do composite roles into a single claim value in a large application, while that scheme might be more space efficient wouldn't it also require a method to decode the composited roles later?

This previously linked article stated that while there is a data structure in MVC5 for claims, it's not tied to a data attribute, so wouldn't using claims for authorization require significant extra programming or more complicated references to the claims?

So that's what brings me to ask the question in the title of the post, is there a fundamental difference? Because if not, I don't see why I would use claims for authorization.

I'm not experienced enough yet to fully follow how claims are used for authentication, but I get it there is significant value for using a 3rd party to authenticate and also for things like single sign on, but that's not my focus in this question.

2
asp.net-mvcvb.netasp.net-identityclaims-based-identity
All roles are claims but not all claims are roles.rism
@rism that is a good description!trailmax

2 Answers

2
votes

You are digging too deep. There is no fundamental difference between a role and a claim. To the point that roles are stored as claims in the authentication cookie. You can pretty easily create authentication attibute that will work with claims. Only roles have slightly more code around them in the framework. When you call IPrincipal.IsUserInrole("rolename"), the framework actually checks if user has a claims of type ClaimTypes.Role with the value "rolename".

I have played with these concepts for a while and my conculsion was that claims can give you more granular authentication levels. Also you can use claims as a containers for data to add on auth-cookie. Roles are pretty inflexible in this sense.

1
votes

There is no fundamental difference. The advantage of claims is it could contains data. For example you may have claim with MaxAllowedOrderSum=1000 and use it for authorizing orders.

With role authorization you will need to invent Role=PriviledgedManager and somehow get the maximum sum of orders. Nothing impossible but more entities involved.