Claims that keep us safe
What is the problem we are trying to solve?
Lets say you own a business that has an office in downtown LA. One day a man walks up to counter and says to Jenny, the lady at the desk, "I have a meeting with the boss. I want to go see his office." Jenny does not recognize this strange man and is unaware of any meetings that may be on your schedule. What would you think of Jenny if she just let this man go past the security and visit the office? No! You would think that Jenny needs to be replaced with someone who would keep the office space a place of safety. How should she do that? She would call back to someone in the office that holds all the information about meetings and who those meetings are with.
What is the claims principle?
Now, maybe that makes sense in an office setting, but have you ever considered that this happens all the time in the cyber world? Everyday software and hackers are trying to mask their identity as someone who should have access to your hidden data! The claims principle is the first line of security. They allow the user to crceate an identity for the website to use. That identity can than be used to protect the users data unless they go though a series of tests. By using safe coding practices we can maintain a safe environment that will protect the DataBase data from imposters.
How does the claims principle keep userdata safe from theft?
One of the most practicle ways is to verify claims against identity data we already know. So lets sayJenny wants to confirm the man at the desk is someone the owner wants to see and has an appointment with the owner. That is a series of claims being made, but how do we know the truth. We call back into the office and let them tell us who has a meeting and who is safe. We can then compare the information provided from our mystory man against the schedule and other claims he has made. If the information matches than he is safe to proceed, but if not then it is reasonable to assume something is wrong.
In Practice
One example of using claims principle is in the API controller of your app.
In this example we will make an http get request that will send some data through the Route/Url and will get the result of that api call in the body of the response.
Client Side GET request:
public async Task<PetInfoDTO?> GetPetInfoByIdAsync(int petId)
{
PetInfoDTO? petInfo = await _httpClient.GetFromJsonAsync<PetInfoDTO>($"api/petsInfo/{petId}");
return petInfo;
}
Server Side Controller:
//utilizing the UserManager to get the identity of the logged in user and store in _userId.
private string _userId => _userManager.GetUserId(User)!;
[HttpGet("{petId:int}")]
public async Task<ActionResult<PetInfoDTO>> GetProjectByIdAsync([FromRoute] int petId)
{
PetInfoDTO? project = await _petService.GetPetInfoByIdAsync(petId, _userId);
return Ok(project);
}
As you can see we are not allowing the app user to tell us who we are by allowing self-identifying information to be sent to the controller. Instead we get the user information from the claims principle using the user manager. It may look different depending on the situation, but it always important to think about who are we letting us tell us what information is safe to pass around? Do we trust the source? Would the end user be satistfied with how we handle protecting their data?
