Claims Based Authentication
Until recently people are/were used Windows based authentication and use ACLs for authorization related work in most of the thick client applications and even browser based application in Intranet mode. However in places where Windows based Authentication was not possible, people resorted to user id/pwd mode with DB Authentication also famously called as Forms based authentication. Here for authorization, people used roles which were well defined in DB's.
Everything till date is working fine so why and what is this Claims based authentication all about and how does it compare against Role based authentication and should we really move towards that?
This is infact one of the most frequently asked question I get and which I also had till some time back. Let me try to (hopefully) clarify this
Claims based authentication mimics Windows Authentication with AD in non Windows world where user information is not in AD (Of course it works great with things in AD as well. What I mean to say here is Claims can be anything and not limited to windows). Typically when a user authenticates with AD, AD issues a ticket which is signed by it and will have all the information related to the user in addition to the domain groups the user belongs to. Here we have an issuer (AD) vouching for you once it validates you. The same model is extended in Claims based authentication where we have an issuer, a subject to which the issuer vouches and a resource for which the autorization is required. Another example for this model is Certificates. Here the issuer is a Certificate Authority vouching for the person to whom the certificate is issued. Of course here only the subject related information will be there and nothing beyond that unlike in AD case where the ticket will have AD groups related information as well. The point here is, there is an Issuer who vouches for a subject and attaches additional information about the subject which can vary from issuer to issuer. The resource which will authorizing to give access can look at the claims and give access.
Now back to the question of difference b/n roles and claims. Roles are fine when different resources trying to give access to the subject are accessing the same Roles source of information. But in less structured, dynamic environments claims offer more choice and options as this is more dynamic in nature based on the information provided by the issuer and form a natural fit. Also it forms a good fit when used across applications as there is an issuer involved and the resource trusts that (more inline with federation). Of course Claims based can be looked as a superset of roles as roles can go as part of claims issued by an issuer.
Hope this clarifies the difference between the Claims and Roles based authentication. You can always ping me back in case something is still unclear
