System.Security.Authorization.dll
Indigo includes a new assembly: System.Security.Authorization.dll.
This assembly defines claims and tokens.
Claims
A claim is a piece of information the sender of the messages claims to be true. When the listener receives a message, she should verify the claims and makes authorization decisions based on them.
Claims implement the IClaim interface. Examples of implementers include
AgeClaim: “I claim my age is 21 (so I can buy alcohol on the web ?)”
UserNameClaim: ‘I claim my username is …”
RoleClaim: ‘I claim I am in role …”
WindowsSidClaim: “I claim I have a given windows security identifier”
All in all, Indigo comes with a few dozens claim types.
Security tokens
Claims are not directly included in a message; they are embedded inside a security token.
A security token provides two things:
- A series of claims
- A set of cryptographic algorithms
In fact, security tokens implement ISecurityToken. ISecurityToken itself derives from IClaimsProvider (provides a set of claims) and ICryptoProvider (provides crypto…)
IClaimsProvider looks like this:
public interface IClaimsProvider
{ IList<IClaimSet> ClaimSets { get; }
}
ICryptoProvider looks like this
public interface ICryptoProvider
{ IList<ICrypto> CryptoCollection { get; }
}
ICrypto looks like this
public interface ICrypto
{ byte[] DecryptKey(string algorithmUri, byte[] keyData);
byte[] EncryptKey(string algorithmUri, byte[] keyData);
bool IsAsymmetricAlgorithm(string algorithmUri);
bool IsSupportedAlgorithm(string algorithmUri);
bool IsSymmetricAlgorithm(string algorithmUri);
}
Examples of tokens include:
X509Token: the sender has an X509 certificate
WindowsToken: the sender is a windows user. This is an abstract class; actual implementations are built either from username/password or from Kerberos tickets
SecurityContextToken: WS secure conversation token
SamlToken: SAML token
Exploring a security token
The following code [1] shows the claims of a windows token build from a name password. If you go through the code, you’ll notice things tokens are not a set of tokens but rather a list of sets of tokens. Conceptually however, it does not make any difference.
If you run it, you’ll see the list of group sids the user is in:
System.Security.Tokens.WindowsUserNameToken
primary identityMYLAPTOP\Alice
MYLAPTOP\Alice
issuerSystem.Security.Authorization.SystemIdentityClaim
S-1-5-21-220523388-1060284298-1343024091-513
MYLAPTOP\None
S-1-1-0
Everyone
S-1-5-32-545
BUILTIN\Users
S-1-5-2
NT AUTHORITY\NETWORK
S-1-5-11
NT AUTHORITY\Authenticated Users
S-1-2-0
LOCAL
[1]
using System;
using System.Security.Authorization;
using System.Security.Tokens;
using System.Security.Principal;
namespace TestClaims
{
class Program
{
static void Main(string[] args)
{
WindowsUserNameToken t = new WindowsUserNameToken(
@"domain\user",
"password",
true);
t.Validate();
ShowToken(t);
Console.Read();
}
static void ShowToken(SecurityToken t)
{
Console.WriteLine(t.ToString());
if (!t.HasBeenValidated)
{
t.Validate();
}
foreach (ClaimSet o in t.ClaimSets)
{
ShowClaimSets(o);
}
}
static void ShowClaimSets(ClaimSet claimSet)
{
Console.Write("primary identity");
ShowClaim(claimSet.PrimaryIdentity);
Console.Write("issuer");
ShowClaim(claimSet.PrimaryIssuer);
Console.WriteLine("");
foreach (IClaim claim in claimSet)
ShowClaim(claim);
}
static void ShowClaim(IClaim claim)
{
if (claim == null)
Console.WriteLine("");
Console.WriteLine(claim.ToString());
if (claim is WindowsSidClaim)
{
WindowsSidClaim sClaim = (WindowsSidClaim)claim;
NTAccount account = (NTAccount)sClaim.SecurityIdentifier.Translate(typeof(NTAccount));
Console.WriteLine(account.Value);
}
}
}
}