ASP.NET Core Identity   adds UI login functionality to ASP.NET Core web apps and manages the related resources like roles and claims.

Through working with the package, I’ve had to learn a few key concepts related to user authentication and authorization and that’s what I would like to share in this article.

Permission

A permission specifies an action that a subject may take on a resource   .

Role

A role is a kind of claim   that represents a collection of permissions that can be granted to an identity.

Token

A token represents an ownership factor of a credential.

Credential

A credential is any piece of authentication information used to verify the identity of a subject   when it tries to access a resource.

Types of credentials include: passwords, tokens, certificates, biometric data

A credential can be expressed by factors

Identity

The identity object contains information about the user or entity being validated.

An identify can be bound to a credential

Subject

A subject is any entity that is requesting access to a resource / object   .

When a user logs on to an application, they become the subject and the application is the object.

A subject has an identity.

Examples of a subject are: user, system, person, machine, process.

Principal

A principal is any entity that can be authenticated by the computer system or network. It’s also know as a security principal   . A principal is a subset of a subject that is represented by an account, role or other unique identifier   . On the level of implementation details, principals are the unique keys used in access control lists.

A principal can be used to identify a subject.

During the authentication process, a subject is populated with associated principals. A subject may have many principals. For example, a person may have a name principal (“Jane Doe”) or an SSN principal which distinguishes it from other subjects.

Examples of a principal are: user, a service, a process

User

A user is a subset of a principal that usually refers to a human operator   .

Issuer

An issuer delivers claims by issuing tokens.

Examples of an issuer are: an application, a service, an identity provider

Claim

A claim is a statement about a subject by an issuer. Claims represent attributes of the subject that are useful in the context of authentication and authorization operations   . A claim can be evaluated to determine access rights to data and other secured resources during the process of authorization.

Claims are part of tokens and provide you with information about a subject or granted access   .

For example, the JSON object below, representing part of a JWT, contains three claims (sub, name, admin):

{
    "sub": "1234567890",
    "name": "Jane Doe",
    "admin": true
}

Policy

An authentication policy allows you to specify authentication settings for different sets of users and configurations   .

Authentication policies enforce factor requirements when users sign in to apps or perform certain actions   .

Examples of policies:

• Two-step verification: require a second step when logging in
• Password requirements: minimum password strength

Scope

Scopes provide a logical grouping of claims   . For example, an ID Token with the profile scope can include the following claims: name, family_name, nickname e.t.c.

Scopes provide a mechanism to limit the access of the subject to API resources.

The next part in the series is here  

Helpful links

• Subjects, Principals, Authentication, and Credentials  
• Authentication concept map  
• Identity, Claims, & Tokens - An OpenID Connect Primer, Part 1 of 3