Claims Based Authentication and Token Based Authentication和WIF
基于声明的认证方式,其最大特性是可传递(一方面是由授信的Issuer,即claims持有方,发送到你的应用上,注意信任是单向的。例如QQ集成登录,登录成功后,QQ会向你的应用发送claims。另一方面可在Issuer之间传递,例如A公司的AD和B公司的AD之间传递),主要用于第三方认证和单点登陆(For claims-based applications,single sign-on for the web is sometimes called passive federation).
A claim is a statement that one subject makes about itself or another subject. The statement can be about a name, identity, key, group, privilege, or capability, for example. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (STS).
Claim is piece of information that describes given identity on some aspect. Take claim as name-value pair. Claims are held in authentication token that may have also signature so you can be sure that token is not tampered on its way from remote machine to your system. You can think of token as envelop that contains claims about user.
Token may contain different claims:
- username or user ID in remote system,
- full name of user,
- e-mail address,
- membership in security groups,
- phone number,
- color of eyes.
System can use claims to identify and describe given user from more than one aspect. This is something you don’t achieve easily with regular username-password based authentication mechanisms.

security token传递方式:
Security tokens that are passed over the Internet typically take one of two forms:
- Security Assertion Markup Language (SAML) tokens are XML-encoded structures that are embedded inside other structures such as HTTP form posts and SOAP messages.
- Simple Web Token (SWT) tokens that are stored in the HTTP headers of a request or response.
The tokens are encrypted and can be stored on the client as cookies.
Claims Based Authentication
Claims are a set of information stored in a key – value pair form. Claims are used to store information about user like full name, phone number, email address.... and the most important thing is that you can use claims as a replacement of roles, that you can transfer the roles to be a claim for a user.
The most important benefit from claims is that you can let a third party authenticate users, and the third party will retrieve to you if this user is authenticated or not and also what claims are for this user.

Token Based Authentication
Token store a set of data in (local/session storage or cookies), these could be stored in server or client side, the token itself is represented in hash of the cookie or session.
In token based authentication, when a request comes, it should have the token with it, the server first will authenticate the attached token with the request, then it will search for the associated cookie for it and bring the information needed from that cookie.
An Introduction to Claims
https://msdn.microsoft.com/zh-cn/library/ff359101.aspx
Claims-Based Architectures
https://msdn.microsoft.com/en-us/library/ff359108.aspx
WIF(Windows Identity Foundation) 4.5 是一组用于在您的应用程序中实施基于声明的标识的 .NET Framework 类)
包含以下程序集:
mscorlib (mscorlib.dll),
System.IdentityModel(System.IdentityModel.dll),
System.IdentityModel.Services (System.IdentityModel.Services.dll),
System.ServiceModel(System.ServiceModel.dll)
注意从4.5开始,System.IdentityModel.Claims, System.IdentityModel.Policy, and System.IdentityModel.Selectors 将被抛弃
Claims Based Authentication and Token Based Authentication和WIF的更多相关文章
- remote: Incorrect username or password ( access token ) fatal: Authentication failed for
gitee推送到远程仓库时提示错误remote: Incorrect username or password ( access token )fatal: Authentication failed ...
- python测试开发django-rest-framework-60.使用token登录(authentication之TokenAuthentication)
前言 现在很多接口项目在登录的时候返回一个token,登录后的拿着这个token去访问访问登录之后的请求. 本篇使用djangorestframework框架写一个登陆的接口,登录成功后返回token ...
- HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'NTLM'。
情况:WCF服务在浏览器中可以正常浏览,但是通过程序调用提示: HTTP request is unauthorized with client authentication scheme 'Anon ...
- Token Based Authentication in Web API 2
原文地址:http://www.c-sharpcorner.com/uploadfile/736ca4/token-based-authentication-in-web-api-2/ Introdu ...
- Asp.Net MVC webAPI Token based authentication
1. 需要安装的nuget <package id="Microsoft.AspNet.Identity.Core" version="2.2.1" ta ...
- Token Based Authentication -- Implementation Demonstration
https://www.w3.org/2001/sw/Europe/events/foaf-galway/papers/fp/token_based_authentication/
- Forms Authentication and Role based Authorization: A Quicker, Simpler, and Correct Approach
https://www.codeproject.com/Articles/36836/Forms-Authentication-and-Role-based-Authorization Problem ...
- sharepoint adfs Adding Claims to an Existing Token Issuer in SharePoint 2010
转载链接 http://www.theidentityguy.com/articles/2010/10/19/adding-claims-to-an-existing-token-issuer-i ...
- LR中,URL -based script与HTML -based script区别
在Web(HTTP/HTML)录制中,有2种重要的录制模式.用户该选择那种录制模式呢?HTML-mode录制是缺省也是推荐的录制模式.它录制当前网页中的HTML动作.在录制会话过程中不会录制所有的资源 ...
随机推荐
- C++笔记之CopyFile和MoveFile的使用
1.函数定义 CopyFile(A, B, FALSE);表示将文件A拷贝到B,如果B已经存在则覆盖(第三参数为TRUE时表示不覆盖) MoveFile(A, B);表示将文件A移动到B 2.函数原型 ...
- css处理最后一个li
.relatebar li{width:98px;height:146px;padding:5px;float:left;border-left:1px solid #ccc;} .relatebar ...
- memcache使用经历
memcache可以看成是一个大内存库,因为可以集群,所以可以看成是无限大的内存库.既然是内存库,那么我们放的就是一些map了.map里就键值对,虽然内存可以通过集群的方式无限扩展,但单个键值对的大小 ...
- 【openCV学习笔记】在Mac上配置openCV步骤详解
(1)安装Homebrew:(需要Ruby) 注:因为snow leopard 以后已经自带Ruby了,所有可以不用自己安装Ruby. 看一下Homebrew的官网: http://mxcl.gith ...
- HDOJ5877(dfs序+离散化+树状数组)
Weak Pair Time Limit: 4000/2000 MS (Java/Others) Memory Limit: 262144/262144 K (Java/Others)Total ...
- appium 中swipe()方法向左滑动时
应该在UI Automator Viewer中读取到的例如ImageView [180,600][900,1320],如果要左滑,代码中应该是写为driver.swipe(900,1320,180,6 ...
- springboot成神之——mybatis在spring-boot中使用的几种方式
本文介绍mybatis在spring-boot中使用的几种方式 项目结构 依赖 WebConfig DemoApplication 方式一--@Select User DemoApplication ...
- python爬西刺代理
爬IP代码 import requests import re import dauk from bs4 import BeautifulSoup import time def daili(): p ...
- DRF之解析器组件及序列化组件
知识点复习回顾一:三元运算 三元运算能够简化我们的代码, 请看如下代码: # 定义两个变量 a = 1 b = 2 # 判断a的真假值,如果为True,则将判断表达式的前面的值赋给c,否则将判断表达 ...
- LeetCode题解 #155 Min Stack
写一个栈,支持push pop top getMin 难就难在在要在常量时间内返回最小的元素. 一开始乱想了很多东西,想到了HashMap,treeMap,堆什么的,都被自己一一否决了. 后来想到其实 ...