Claims Based Authentication and Token Based Authentication

基于声明的认证方式,主要用于第三方认证.

claim is a statement that one subject makes about itself or another subject. The statement can be about a name, identity, key, group, privilege, or capability, for example. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (STS).

Claim is piece of information that describes given identity on some aspect. Take claim as name-value pair. Claims are held in authentication token that may have also signature so you can be sure that token is not tampered on its way from remote machine to your system. You can think of token as envelop that contains claims about user.

Token may contain different claims:

  • username or user ID in remote system,
  • full name of user,
  • e-mail address,
  • membership in security groups,
  • phone number,
  • color of eyes.

System can use claims to identify and describe given user from more than one aspect. This is something you don’t achieve easily with regular username-password based authentication mechanisms.

Claims Based Authentication

Claims are a set of information stored in a key – value pair form. Claims are used to store information about user like full name, phone number, email address.... and the most important thing is that you can use claims as a replacement of roles, that you can transfer the roles to be a claim for a user.

The most important benefit from claims is that you can let a third party authenticate users, and the third party will retrieve to you if this user is authenticated or not and also what claims are for this user.

Token Based Authentication

Token store a set of data in (local/session storage or cookies), these could be stored in server or client side, the token itself is represented in hash of the cookie or session.

In token based authentication, when a request comes, it should have the token with it, the server first will authenticate the attached token with the request, then it will search for the associated cookie for it and bring the information needed from that cookie.

An Introduction to Claims

https://msdn.microsoft.com/zh-cn/library/ff359101.aspx

Claims-Based Architectures

https://msdn.microsoft.com/en-us/library/ff359108.aspx

时间: 2024-10-10 19:59:11

Claims Based Authentication and Token Based Authentication的相关文章

remote: Incorrect username or password ( access token ) fatal: Authentication failed for

gitee推送到远程仓库时提示错误remote: Incorrect username or password ( access token )fatal: Authentication failed for 'https://gitee.com/***/***.git/' 解决办法:清除本地的gitee用户名和密码 git config --system --unset credential.helper 再执行推送,重新输入用户名和密码. 原文地址:https://www.cnblogs.c

Token Based Authentication in Web API 2

原文地址:http://www.c-sharpcorner.com/uploadfile/736ca4/token-based-authentication-in-web-api-2/ IntroductionThis article explains the OWIN OAuth 2.0 Authorization and how to implement an OAuth 2.0 Authorization server using the OWIN OAuth middleware. Th

认证 协议 JWT OAuth Session Cookie

本文翻译自Auth-Boss. 如果有翻译的不恰当或不对的地方, 欢迎指出. 成为一个认证老司机, 了解网络上不同的身份认证方法. 本文档的目的是记录和编目Web上的身份验证方法.认证指的是创建一个系统的过程,用户可以通过该系统"登录"在线服务,并授予对受保护资源的访问权限.以下引用可能更好地总结我想要解释的内容: 客户端认证涉及向Web上的服务器证明客户端(或用户)的身份.[1] How 我写作风格简洁,会用到一些技术词. 免责声明:本文档不作为包含所有认证方法的网络的目录;本文档也

HTTP验证大法(Basic Auth,Session, JWT, Oauth, Openid)

本文标签:   HTTP Auth OpenID HTTP验证大法 Session REST   服务器 成为一个"认证"老司机 本文翻译自 Auth-Boss . 如果有翻译的不恰当或不对的地方, 欢迎指出. 成为一个认证老司机, 了解网络上不同的身份认证方法. 本文档的目的是记录和编目Web上的身份验证方法. 认证指的是创建一个系统的过程,用户可以通过该系统"登录"在线服务,并授予对受保护资源的访问权限. 以下引用可能更好地总结我想要解释的内容: 客户端认证涉及

Using PL/SQL APIs as Web Services

Overview Oracle E-Business Suite Integrated SOA Gateway allows you to use PL/SQL application programming interfaces (APIs) to insert or update data in Oracle E-Business Suite. APIs are stored procedures that let you update or retrieve data from Oracl

Method and system for public-key-based secure authentication to distributed legacy applications

A method, a system, an apparatus, and a computer program product are presented for an authentication process. A host application or system within a distributed data processing system supports one or more controlled resources, such as a legacy applica

Java EE 7 / JAX-RS 2.0: Simple REST API Authentication & Authorization with Custom HTTP Header--reference

REST has made a lot of conveniences when it comes to implementing web services with the already available HTTP protocol at its disposal. By just firing GET, POST and other HTTP methods through the designated URL, you’ll sure to get something done thr

[转] An Introduction to Mutual SSL Authentication

1. Introduction Mutual SSL authentication or certificate based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity. In techn

Using JAAS Authentication in Java Clients---weblogic document

The following topics are covered in this section: JAAS and WebLogic Server JAAS Authentication Development Environment Writing a Client Application Using JAAS Authentication Using JNDI Authentication Java Client JAAS Authentication Code Examples The