c# - 如何管理用户 claim ？

Question

我目前正在使用 asp.net core 设计一个系统，我想实现基于声明的授权，但有一个特定的部分让我感到困惑。

当提出声明时，声明将包括类型和值以及可选的发行者。在处理程序中，可以在确认访问之前检查此声明和颁发者。

但是这个颁发者没有存储在身份数据库中，那么处理程序如何检查颁发者？

我是不是误解了这一切是如何运作的？我的理解是，用户提出某种类型的声明，他们的声明具有一定的值(value)，而发行者是声明类型的验证者，实际上对该用户具有该值(value)。

处理程序将检查该值并可能检查发行者，但当数据库不存储它时它不能。那时我不明白发行人的意思。

我希望用户有一组声明，包括谁/什么验证了这些声明，并且应用程序能够随时验证这些声明。

请帮助我理解。

我已经这样测试过了:

1. 使用带有 Identity 的 asp.net 核心应用。
2. 注册用户。
3. 向用户添加声明，其中包括类型、值和颁发者。 (例如，EmployeeNumber、312、Microsoft。
4. 在 Controller /操作上添加 [Authorize(Policy="MicrosoftEmployeesOnly")] 以限制访问。
5. 根据要求将政策添加到 StartUp.cs 中的服务中。
6. 添加具有处理程序的要求代码，该处理程序检查用户是否拥有类型为 EmployeeNumber 的声明、具有值且由 Microsoft 发布。
7. 登录和用户声明将从数据库加载到身份中。
8. 处理程序将无法验证用户，因为颁发者 (Microsoft) 已经丢失，现在只说本地权限。

我在这里唯一能想到的是，一旦将声明添加到数据库中，它就被视为已通过 Microsoft 验证，现在由代表 Microsoft 的应用程序(本地机构)持有。

如果是这样的话:

1. 为什么要在任何处理程序中检查颁发者？
2. 如何撤销声明？

我希望能够有选择地前往该发行人并在我需要时检查声明，这意味着发行人可以撤销/使声明无效。该员工声称他们在 Microsoft 有一个员工编号，Microsoft 最初对此进行了验证。一段时间后，Microsoft 将该员工踢出并在他们的系统上将其删除。该应用程序应该能够在用户每次登录时与 Microsoft 核实，以查看声明是否有效。在这种情况下，它将不再有效。

我是不是有点生气了？

Answer 1

在您链接到此问题时将其张贴在这里 from my blog , 它可能对某人有用

I think you have misunderstood slightly about the nature of a claim, which I can understand given the terminology. You seem to be taking 'Claim' as meaning the user is 'professing' that they have a certain attribute, and you want to check that this is true.

That is not the way claims work here. Claims are essentially 'attributes' of the user. In the old way of working with roles, a user would belong to a certain number of roles. These are just 'attributes' the user has now, so are more generic. A user may have a number of claims corresponding to the roles they are in.

The identity of the user is checked during authentication, and at that point you assign the set of Claims that the user has to the ClaimsIdentity object. This is the point you fetch the claims from the database, and make sure they only get the ones they should have. If you need to have someone verifying claims, then you would need to have that whole process happening outside of this. Only the claims which have been confirmed should be added to the ClaimsIdentity.

Now, there is an event you can handle on the CookieAuthenticationMiddleware to validate a security ticket when it is loaded on subsequent requests called ValidatePrincipal, but I'm not sure if this is actually what you need.

以及您随后的回复:

Thank you for your response. I understand now that these claims are effectively verified claims once they get into the db. I guess they could be removed from the db as a way of revoking the claim.

However, I think, as you suggest, the best way is to have this system outside and it just provides claims as and when required. The design is that the application will have accounts for different types of entity and accounts will be able to make claims, for example that "I am a parent". The parent would seek an authorizing account to validate this. This might require the authorizing account holder to actually see some real documentation before validating. Other claims, could change. For example a parent with Parental Responsibility would need a bit more verification, but may also lose that Parental Responsibility in the real world and so a facility for revoking the claim needs to be available.

So, I think the design should be to use the claims system with the Authorize attribute following your excellent articles, but have a separate system that allows for validation and revoking that feeds that claims system.