The main audience of this article are those who need a quick overview or recap of how authentication in an ASP.NET Core web application works.

I’ll briefly walk thru the concepts of Authentication Scheme, (Claims)Principal, (Claims)Identity and Claims.

Scheme, Principal, Identity, and Claims collectively form the foundation for authentication

Claims Principal
This the user. Plain and simple. The principal may have multiple identities. We’ll get to that.

Claims Identity
Any identification that the principal owns or has been issued. This may for example be a passport in real life.

In the digital world, a claims principal may have an identity on Google, Facebook, Microsoft, etc — these may also be called Identity Providers.

Claims
In abstract terms, a claim is a statement an entity makes about itself or another entity.

Practically, this means that when you get an identity from e.g. Google or Facebook, the identity also contains a list of claims. A claim may be one such as “name: John Doe” — in this case, “name” is a claim the identity provider has made about the principal. It’s your job to trust whether the value — “John Doe” — is true or not.

Authentication Scheme
Consider a scheme as a resource guard that you’ll need to authenticate users against.

You log users into schemes. When a user is logged into a specific scheme, they will have access to resources (e.g. endpoints) protected with that specific scheme.

It makes sense to use multiple Authentication Schemes if you want different areas of your application to have varying security levels. As an example, you may want to secure admin areas with a scheme that requires a user to authenticate with Two/Multi-Factor authentication.

Demonstrating how Schemes and the [Authorize] attribute are connected

Below you’ll see a list of registered authentication handlers and endpoints protected with different schemes. A protected endpoint will challenge the user against the scheme it’s guarded by.

Notice that I’m mixing styles of defining the scheme names. You’d want to use constants over raw strings. In the example above, I’m just using strings to show you that you can name schemes whatever you’d like.

IdentityConstants.ApplicationScheme evaluates to “Identity.Application”, and JwtBearerDefaults.AuthenticationScheme is simply “Bearer”.

This article was originally published on medium.