Difference between revisions of "Claim"
From MgmtWiki
(→Context) |
(→Context) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Full Title or Meme== | ==Full Title or Meme== | ||
| − | A statement by or about a [[Subject]] is a | + | A statement by or about a [[Subject]] is a [[Claim]]. If there is some corroboration of the claim, it is called a [[Validated]] or [[Verified Claim]]. |
A collection of [[Attribute]]s and other information about a user that are used in [[Authorization]] of access to a [[Resource]]. | A collection of [[Attribute]]s and other information about a user that are used in [[Authorization]] of access to a [[Resource]]. | ||
==Context== | ==Context== | ||
| − | *The English word [[Claim]] means to call our for, or to publish, pretty much the same meaning as the Latin word '' | + | *The English word [[Claim]] means to call our for, or to publish, pretty much the same meaning as the Latin word ''clamare''.<ref>Walther W. Skeat, An Etyological Dication of the English Language. Oxford (1882)</ref> |
* The [https://tools.ietf.org/html/rfc7519#section-2 JWT spec] defines it as "A piece of information asserted about a subject. A claim is represented as a name/value pair consisting of a Claim Name and a Claim Value." | * The [https://tools.ietf.org/html/rfc7519#section-2 JWT spec] defines it as "A piece of information asserted about a subject. A claim is represented as a name/value pair consisting of a Claim Name and a Claim Value." | ||
| + | * The first patent that described the process of using a claim (authentication ticket) in an Authorization process (OAuth) appears to be: United States Patent 7,257,835 Thomas C. Jones August 14, 2007 Filed: May 28, 2003 ''Securely authorizing the performance of actions'' | ||
| + | <blockquote>Securely authorizing the performance of actions may be enabled by linking each secure/privileged action to a requisite policy for authorizing that secure/privileged action. In a described media implementation, one or more electronically-accessible media include electronically-executable instructions that, when executed, direct an electronic device to execute operations including: receiving an action performance request that is directed to a requested action; locating an authorization policy that is associated with the requested action from among multiple authorization policies, the authorization policy indicating how performance of the requested action can be authorized; and extracting at least one rule and one or more authentication ticket requirements from the authorization policy. Example operations may further include: determining whether one or more authentication tickets have been validated in accordance with the at least one rule and/or the one or more authentication ticket requirements; and if so, authorizing performance of the requested action.</blockquote> | ||
==Solution== | ==Solution== | ||
| Line 13: | Line 15: | ||
# The [[Web Site]] will send a scope to a [[User]] asking for [[Claim]]s to authorize access. | # The [[Web Site]] will send a scope to a [[User]] asking for [[Claim]]s to authorize access. | ||
# The [[User Agent]] should know, a priori, where to send the [[Claim]]s for verification. | # The [[User Agent]] should know, a priori, where to send the [[Claim]]s for verification. | ||
| − | # The | + | # The [[Verified Claim]]s will be collected and forwarded to the [[Web Site]]. |
| − | # The [[Web Site]] will evaluate the | + | # The [[Web Site]] will evaluate the [[Verified Claim]]s and determine whether to authorize access to the resource. |
# Optionally the [[Web Site]] will request additional claims to meet the needs to authorize access. | # Optionally the [[Web Site]] will request additional claims to meet the needs to authorize access. | ||
Revision as of 22:35, 24 July 2020
Full Title or Meme
A statement by or about a Subject is a Claim. If there is some corroboration of the claim, it is called a Validated or Verified Claim.
A collection of Attributes and other information about a user that are used in Authorization of access to a Resource.
Context
- The English word Claim means to call our for, or to publish, pretty much the same meaning as the Latin word clamare.[1]
- The JWT spec defines it as "A piece of information asserted about a subject. A claim is represented as a name/value pair consisting of a Claim Name and a Claim Value."
- The first patent that described the process of using a claim (authentication ticket) in an Authorization process (OAuth) appears to be: United States Patent 7,257,835 Thomas C. Jones August 14, 2007 Filed: May 28, 2003 Securely authorizing the performance of actions
Securely authorizing the performance of actions may be enabled by linking each secure/privileged action to a requisite policy for authorizing that secure/privileged action. In a described media implementation, one or more electronically-accessible media include electronically-executable instructions that, when executed, direct an electronic device to execute operations including: receiving an action performance request that is directed to a requested action; locating an authorization policy that is associated with the requested action from among multiple authorization policies, the authorization policy indicating how performance of the requested action can be authorized; and extracting at least one rule and one or more authentication ticket requirements from the authorization policy. Example operations may further include: determining whether one or more authentication tickets have been validated in accordance with the at least one rule and/or the one or more authentication ticket requirements; and if so, authorizing performance of the requested action.
Solution
Claims typically go through a series of steps, for example:
- A User will go to a Web Site hosting a Resource that the user wants to access.
- The Web Site will send a scope to a User asking for Claims to authorize access.
- The User Agent should know, a priori, where to send the Claims for verification.
- The Verified Claims will be collected and forwarded to the Web Site.
- The Web Site will evaluate the Verified Claims and determine whether to authorize access to the resource.
- Optionally the Web Site will request additional claims to meet the needs to authorize access.
- In computer networking a variety of statements can be made by a user to acquire authorized access to a resource.
- The distinction as to Authentication, who a user is, versus Authorization, or what that user is permitted to do, is no longer helpful.
- NIST has recognized that there are multiple metrics for the quality of statements about a user in their third update to SP 800-63
- Claims can be highly detailed, do to data fields, or a collection of fields, like the User address, this can be overwhelming if presented for User Consent. Some protocols, like OpenID Connect provide for aggregated collections of claims that OpenID calls Scope.[2]
References
- ↑ Walther W. Skeat, An Etyological Dication of the English Language. Oxford (1882)
- ↑ Nat Sakimura Scopes and Claims in OpenID Connect https://nat.sakimura.org/2012/01/26/scopes-and-claims-in-openid-connect/
