基于声明的认证方式,其最大特性是可传递(一方面是由授信的Issuer,即claims持有方,发送到你的应用上,注意信任是单向的。例如QQ集成登录,登录成功后,QQ会向你的应用发送claims。另一方面可在Issuer之间传递,例如A公司的AD和B公司的AD之间传递),主要用于第三方认证和单点登陆(For claims-based applications,single sign-on for the web is sometimes called passive federation).

claim is a statement that one subject makes about itself or another subject. The statement can be about a name, identity, key, group, privilege, or capability, for example. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (STS).

Claim is piece of information that describes given identity on some aspect. Take claim as name-value pair. Claims are held in authentication token that may have also signature so you can be sure that token is not tampered on its way from remote machine to your system. You can think of token as envelop that contains claims about user.

Token may contain different claims:

  • username or user ID in remote system,
  • full name of user,
  • e-mail address,
  • membership in security groups,
  • phone number,
  • color of eyes.

System can use claims to identify and describe given user from more than one aspect. This is something you don’t achieve easily with regular username-password based authentication mechanisms.

security token传递方式:

Security tokens that are passed over the Internet typically take one of two forms:

  • Security Assertion Markup Language (SAML) tokens are XML-encoded structures that are embedded inside other structures such as HTTP form posts and SOAP messages.
  • Simple Web Token (SWT) tokens that are stored in the HTTP headers of a request or response.

The tokens are encrypted and can be stored on the client as cookies.

Claims Based Authentication

Claims are a set of information stored in a key – value pair form. Claims are used to store information about user like full name, phone number, email address.... and the most important thing is that you can use claims as a replacement of roles, that you can transfer the roles to be a claim for a user.

The most important benefit from claims is that you can let a third party authenticate users, and the third party will retrieve to you if this user is authenticated or not and also what claims are for this user.

Token Based Authentication

Token store a set of data in (local/session storage or cookies), these could be stored in server or client side, the token itself is represented in hash of the cookie or session.

In token based authentication, when a request comes, it should have the token with it, the server first will authenticate the attached token with the request, then it will search for the associated cookie for it and bring the information needed from that cookie.

An Introduction to Claims

https://msdn.microsoft.com/zh-cn/library/ff359101.aspx

Claims-Based Architectures

https://msdn.microsoft.com/en-us/library/ff359108.aspx

WIF(Windows Identity Foundation) 4.5 是一组用于在您的应用程序中实施基于声明的标识的 .NET Framework 类)

包含以下程序集:

mscorlib (mscorlib.dll),

System.IdentityModel(System.IdentityModel.dll),

System.IdentityModel.Services (System.IdentityModel.Services.dll),

System.ServiceModel(System.ServiceModel.dll)

注意从4.5开始,System.IdentityModel.ClaimsSystem.IdentityModel.Policy, and System.IdentityModel.Selectors 将被抛弃

Claims Based Authentication and Token Based Authentication和WIF的更多相关文章

  1. remote: Incorrect username or password ( access token ) fatal: Authentication failed for

    gitee推送到远程仓库时提示错误remote: Incorrect username or password ( access token )fatal: Authentication failed ...

  2. python测试开发django-rest-framework-60.使用token登录(authentication之TokenAuthentication)

    前言 现在很多接口项目在登录的时候返回一个token,登录后的拿着这个token去访问访问登录之后的请求. 本篇使用djangorestframework框架写一个登陆的接口,登录成功后返回token ...

  3. HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'NTLM'。

    情况:WCF服务在浏览器中可以正常浏览,但是通过程序调用提示: HTTP request is unauthorized with client authentication scheme 'Anon ...

  4. Token Based Authentication in Web API 2

    原文地址:http://www.c-sharpcorner.com/uploadfile/736ca4/token-based-authentication-in-web-api-2/ Introdu ...

  5. Asp.Net MVC webAPI Token based authentication

    1. 需要安装的nuget <package id="Microsoft.AspNet.Identity.Core" version="2.2.1" ta ...

  6. Token Based Authentication -- Implementation Demonstration

    https://www.w3.org/2001/sw/Europe/events/foaf-galway/papers/fp/token_based_authentication/

  7. Forms Authentication and Role based Authorization: A Quicker, Simpler, and Correct Approach

    https://www.codeproject.com/Articles/36836/Forms-Authentication-and-Role-based-Authorization Problem ...

  8. sharepoint adfs Adding Claims to an Existing Token Issuer in SharePoint 2010

    转载链接 http://www.theidentityguy.com/articles/2010/10/19/adding-claims-to-an-existing-token-issuer-i ...

  9. LR中,URL -based script与HTML -based script区别

    在Web(HTTP/HTML)录制中,有2种重要的录制模式.用户该选择那种录制模式呢?HTML-mode录制是缺省也是推荐的录制模式.它录制当前网页中的HTML动作.在录制会话过程中不会录制所有的资源 ...

随机推荐

  1. 为什么我的 FastAdmin 慢?

    为什么我的 FastAdmin 慢? 排查流程 询问 demo.fastadmin.net 是否慢,官方 demo 安装了 80% 的插件. 开发时一般都是打开 debug 配置,上线要把 debug ...

  2. RelativeLayout里的gravity不能居中的解决方法

    最近在遇到RelativeLayout里的gravity属性给它复制center_horizontal或者center都不能居中它的子组件,后来找到了替代方法,只要在它的每个子组件里加上android ...

  3. Java 数据类型及转换

    整形: byte(1个字节) 范围:-128~127 short(2个字节) 范围:-215~215-1 (-32768~32767) int(4个字节) 范围:-231~231-1 (-214748 ...

  4. B/S与C/S的区别

    参考:http://www.cnblogs.com/groler/articles/2116905.html 一.概念 C/S结构:即Client/Server(客户机/服务器)结构,是大家熟知的软件 ...

  5. Difference between boot ip. service ip and persistent ip in hacmp

    - boot IP is the original address on a network interface even when the cluster is down - service IP ...

  6. OBS第三方推流直播教程

    第三方推流使用场景 1.当使用YY客户端进行直播遇到问题,暂无解决方法的时候,可以使用第三方直播软件OBS进行推流. 2.对OBS情有独钟的主播. OBS简介: OBS是一款比较好用的开源直播软件,目 ...

  7. Spring security 浅谈用户验证机制

    step1:首先ApplicationUserDetailsService需要实现UserDetailsService接口(在 org.springframework.security.core.us ...

  8. Tair ldb(leveldb存储引擎)实现介绍

    简介 tair 是淘宝自己开发的一个分布式 key/value 存储引擎. tair 分为持久化和非持久化两种使用方式. 非持久化的 tair 可以看成是一个分布式缓存. 持久化的 tair 将数据存 ...

  9. Java面试(二)

    1 同步方法 VS 同步代码块: java中,每一个对象都有一把锁,线程用synchronized获取对象上的锁. 非静态同步方法:锁是类的对象的锁. 静态同步方法:锁的是类本身. 同步方法块:锁是可 ...

  10. Java 对象和实例的区别

    本来我以为是一样的,其实是不一样的 参看:http://www.blogjava.net/dreamstone/archive/2011/06/03/101733.html