What is the idea behind IIdentity and IPrincipal in .NET

Asked 24/11, 2014 at 15:4 Answered 21/3, 2017 at 6:0

So, what is the purpose for existence of both IIdentity and IPrincipal, and not some IIdentityMergedWithPrincipal? When is it not enough to implement both in same class?

Also, to understand purpose, I'd like to know where this concept comes from:

It is originated in .Net
There is concept of Identity/Principal as design pattern, which System.Security.Principal implemented in those interfaces
It is originated somewhere else and supported for compatibility

Therefore, does UserPrincipal from System.DirectoryServices act similarly to IPrincipal but not implement it by accident or by intention?

P.S. I'm looking for reasoning behind idea, not benefits/controversies comparison, so please try not to start opinion-based discussion

Superorder answered 24/11, 2014 at 15:4 Comment(4)

have you read the following articles of the many others that are out there msdn.microsoft.com/en-us/library/ee748503.aspx What do you not understand.. ? try reading up on `PrincipalContect as well I think that you will gain a better understanding on the how and why – Zaibatsu 24/11, 2014 at 15:10

The Active Directory Principal classes have absolutely nothing to do with the IIdentity and IPrincipal in the core .NET framework. Those are totally independent and not related in any way, shape or form (other than the naming...) – Pitfall 24/11, 2014 at 15:40

Surely, Active Directory Principal is not in any way dependent on IPrincipal, however I think that there is implicit connection. For example: compare IPrincipal.IsInRole(string role) and UserPrincipal.IsMemberOf(GroupPrincipal group). I think it is possible to write custom IPrincipal wrapper around UserPrincipal – Superorder 24/11, 2014 at 15:53

It should be noted that there is absolutely no reason why you couldn't create a concrete type that implements both IPrincipal and IIdentity if you really wanted to. public class MyIdentityMergedWithPrincipal : IPrincipal, IIdentity. If the interfaces were rolled into one on the other hand, you wouldn't be able to separate them like you can (and probably should) now. The separate interfaces are for separate concerns. – Palfrey 11/7, 2016 at 12:9

IIdentity is just used for the user's authenticated identity, regardless of what roles they may have.

IPrincipal is used to combine a user's identity with the authorized roles they have in a given security context.

For example, you can use a third-party login provider, like Facebook or Google, to get the user's identity, but you will not get a principal from those providers, as they don't provide any roles. You can use your own application or a third-party role-based authorization provider to apply roles to, say, a FacebookIdentity or GoogleIdentity. A different application can expect a different principal, with its own roles, but still use the same identity as in another application.

Idette answered 24/11, 2014 at 15:54 Comment(4)

So, there are used to separate authentication and authorization concern. Thank you for your example, now I see that they can be not dependent on each other, therefore separate entities. – Superorder 24/11, 2014 at 16:2

One point of confusion I've found is that frequently, people are putting identity-related properties (e.g. name, email) on the IPrincipal implementation rather than the IIdentity, because they can't be bothered to type e.g. User.Identity.Email (in the days of Intellisense and auto-complete), and would rather save a few keystrokes and enter User.Email. – Contort 22/8, 2016 at 23:53

Then why does IIdentity have an IsAuthenticated property? – Loiret 7/3, 2017 at 1:10

Unauthenticated users can still have an IIdentity associated with them, in which case the IsAuthenticated property will be false (e.g., anonymous web site visitors). – Idette 8/3, 2017 at 17:8

A principal is the security context of a user.

In the case of .NET, a principal supports the concept of having more than one identity (This has nothing to do with claims yet). This is particularly important when it comes to semantics that developers need to deal with when it comes to user identity. You may be called on as a developer to support multiple identities coming from different sources (identity providers IdPs), for example: Twitter, Google, whatever.

So what's the different between a IPrincipal and IIDentity? IPrincipal is the security context (for a single thread), and the IIDentity is the set of attributes associated with that user coming from a specific identity provider / authority.

Whitehouse answered 17/6, 2015 at 20:7 Comment(0)

As MSDN site says:

The identity object encapsulates information about the user or entity being validated. At their most basic level, identity objects contain a name and an authentication type.

whereas

The principal object represents the security context under which code is running.

Refer to the above link for a lot more info.

HTH

Coronograph answered 14/10, 2015 at 18:33 Comment(0)

-4

public class HBPrincipal : IPrincipal
{
     private HBIdentity _identity;

     public HBPrincipal(HBIdentity identity)
    {
        _identity = identity;
    }

    public IIdentity Identity
    {
        get
        {
            return _identity;
        }
    }

    public bool IsInRole(string role)
    {
        // TODO implement roles
        return false;
    }
}

Transcribe answered 21/3, 2017 at 6:0 Comment(2)

This does not seem to answer the question at all. – Pendulous 21/3, 2017 at 6:21

This needs some description as to what you are actually trying to convey here to the OP. – Trieste 29/10, 2019 at 17:6

Recommended topics

Hot tags