Tokens and Claims

UK_Passport[1] So where were we….

The last thing that we looked at was authenticating somebody at the identity provider.  If we assume that this was successful we now need to be passed back to the original site so we can gain access to whatever we were trying to get to.

However, just because we have been authenticated somewhere does not mean that we are going to be authorised on the original site to perform whatever action it was.  For example, I can authenticate against the UK Government Pension site that gives me permission to view my pension, but not being retired there is a significant number of actions I cannot perform.

We need to pass something back that states who has authenticated me and gives information that the original site can use to determine if I can perform the action.  The most commonly accepted way of doing this is via a SAML token (Security Assertion Markup Language), which contains a set of claims digitally signed to ensure it has not been changed.

What is a ‘Claim’

‘A Claim is a statement made by one entity about another entity’.  This could be Microsoft making the statement that I work for them, or the UK Driving Licence agency making the statement that I have a valid UK driving license.

The Identity Provider knows where this request came from, and can therefore generate a set of claims that are relevant for the requesting site.  This could be anything from an ID number (like Social Security number), to proof that I am over 18.  You should restrict the information you send to the information that is needed, you should not leak additional information if it is not needed.

Notice as well that the Identity Provider was not asked to authenticate the action; it was not asked ‘Can this person perform action X’, it was instead asked to provide information so that original site could make that decision. 

Tokens contain claims

All the token is, is a wrapper for the claims.  It adds elements like a unique ID, expiry stamp, issuer etc etc.  and most importantly it has a digital signature that means that you can check the contents have not be tampered with.

A real world example of a token would be your passport.  It was issued by an identity provider (your government), it is protected by anti-tamper devices and contains statements about you from your Government (your name, your photo etc).

The power of Identity Providers and Claims

Claims are immensely powerful, and to be honest is what we have been using in the real world for 100’s of years.  Combine them with the concept of ‘Identity Providers’ and they really shine as the same data from different people comes with different levels of trust.

A perfect example of this is the note in the window of my local wine and spirits store that reads  “We only accept Passports and Driving Licences for proof of age, letters from your mum will not be accepted”