Episode 245

Joe Kuemerle on Reverse Engineering Applications

Episode 244

Josh Harrison on Azure Access Control service

So last night I go to the bar to get all liquored up and I says to the bartender: “Gimme my favourite getting-liquored-up drink – a dirty vodka martini with extra olives and Grey Goose vodka.

The bartender looks at me and he sees my cherubic countenance and he notices my boyish charm and he says “Son, we have laws in this state. We are unable to serve anyone who is under the age of 21. Can you prove to me that you are at least 21 years old?”

“You bet I can!” I says to him. “Follow me!”

And we go out back where my private jet is parked and we fly down to Tampa where he meets my parents and they tell him how I was born during the Kennedy administration and they explain how I was such a rotten kid that my dad went to the War in Vietnam just to get a break from me.

Then we get back in my private jet and we fly to Jacksonville, NC to the hospital where I was born and they show us my birth certificate and the bartender asks me “Can you prove that you are the David Giard listed on this birth certificate?” and I proceed to provide him with blood samples and fingerprints and utility bills and all sorts of evidence that I am in fact the David Giard listed on the Birth Certificate.

So we fly back to the bar and the bartender says “OK, you’ve convinced me that you are David Giard and that you were born more than 21 years ago” and he mixes up my favourite getting-liquored-up drink and I drink it like the grown man that I am.

Now…

…Some of the above story is untrue.

First, I don’t drink Grey Goose. I’m a Ketel One man.

Second, I don’t own a private jet.

And finally, the bartender does not have time to personally verify the identity and age of every young whippersnapper who orders a drink. If he did so, he wouldn’t have time to serve other whippersnappers and they would go away thirsty and cranky and he wouldn’t make enough money to keep the bar open.

Instead, the bartender has to trust someone else. But who can he trust? Probably not me. As we’ve already seen, I am capable of telling a convincing story that is not 100% true.

Of course, he will trust the government (because, if you can’t trust the government, who can you trust?)

In my case, he will trust the state government because months ago, I went to an office run by the state of Michigan and I proved to them (by supplying a birth certificate, a photo ID, a utility bill, and other documents) that I am David Giard and on what date I was born. It turns out that the state government has been verifying such information for a long time, so they are pretty good at it. When I had satisfied the government office, they issued me a “token” verifying my identity and certain claims about me, such as my date of birth. This token took the form of a Driver’s License. This Driver’s License claims that my name is David Giard and that I was born on a specific date and that I look like the photo in the corner of the license and that I reside at a specific address.

Claims-based authentication works exactly like this.

In claims-based authentication, an application does not authenticate a user directly. Instead, the application directs the user to a trusted authority (known as a “Secure Token Service” or “STS”) and asks the STS to authenticate the user. In some cases, this STS may even decide to ask some other STS that it trusts to authenticate the user. When the user has been authenticated, the STS will create a token to return to the application. This token contains proof of authentication, but it may also contain a number of “Claims”. Claims are attributes about the user that are asserted by the STS. Because the application trusts the STS, it will believe these claims about the user.

Much like the bartender believes the birth date on a valid driver’s license, the application believes the claims contained in the token. And just like the bartender applies his own rules based on the driver’s license claims (you must be 21 or over to drink), the application can apply whatever rules it sees fit to authorize the user based on claims contained in the token provided by the STS. For example, the application may decide that only users in a given role may view certain pages in an application. Or that certain links are disabled, unless a user has been with the company a certain length of time.

Thus, the authentication (who is this user?) is outsourced to another application, but the authentication (what can this user do?) is not.

Episode 219

Vittorio Bertocci on WIF

Episode 207

Troy Hunt on ASP.NET Security

Episode 198

Bill Sempf on Security