Identity in .NET 4.5–Part 3: (Breaking) changes

I recently started porting a private build of Thinktecture.IdentityModel to .NET 4.5 and noticed a number of changes. The good news is that I can delete large parts of my library because many features are now in the box. Along the way I found some other nice additions.

  • ClaimsIdentity now has methods to query the claims collection, e.g. HasClaim(), FindFirst(), FindAll().
  • ClaimsPrincipal has those methods as well. But they work across all contained identities. Nice!
  • ClaimsPrincipal.Current retrieves the ClaimsPrincipal from Thread.CurrentPrincipal. Combined with the above changes, no casting necessary anymore.
  • SecurityTokenHandler now has read and write methods that work directly with strings. This makes it much easier to deal with non-XML tokens like SWT or JWT.
  • A new session security token handler that uses the ASP.NET machine key to protect the cookie. This makes it easier to get started in web farm scenarios.
  • No need for a custom service host factory or the federation behavior anymore. WCF can be switched into “WIF mode” with the useIdentityConfiguration switch (odd name though).
  • Tooling has become better and the new test STS makes it very easy to get started.

On the other hand – and that was kind of expected – to bring claims into the core framework, there are also some breaking changes for WIF code. If you want to migrate (and I would recommend that), most changes to your code are mechanical. The following is a brain dump of the changes I encountered.

  • Assembly Microsoft.IdentityModel is gone. The new functionality is now in mscorlib, System.IdentityModel(.Services) and System.ServiceModel.
  • All the namespaces have changed as well.
  • No IClaimsPrincipal and IClaimsIdentity anymore.
  • Configuration section has been split into <system.identityModel /> and < />.
  • WCF configuration story has changed as well.
  • Claim.ClaimType is now Claim.Type.
  • ClaimCollection is now IEnumerable<Claim>.
  • IsSessionMode is now IsReferenceMode.
  • Bootstrap token handling is different now.
  • ClaimsPrincipalHttpModule is gone. This is not really needed anymore, apart from maybe claims transformation (see here).
  • Various factory methods on ClaimsPrincipal are gone (e.g. ClaimsPrincipal.CreateFromIdentity()).
  • SecurityTokenHandler.ValidateToken now returns a ReadOnlyCollection<ClaimsIdentity>.
  • Some lower level helper classes are gone or internal now (e.g. KeyGenerator).
  • The WCF WS-Trust bindings are gone. I think this is a pity. They were *really* useful when doing work with WSTrustChannelFactory.

Since WIF is part of the Windows operating system and also supported in future versions of .NET, there is no urgent need to migrate to the 4.5 claims model. But obviously, going forward, at some point you want to make the move.

This entry was posted in .NET Security, IdentityModel. Bookmark the permalink.

3 Responses to Identity in .NET 4.5–Part 3: (Breaking) changes

  1. I am doing some work to port my STS implementation to .NET 4.5 and I have noticed two things are missing (probably intentionally) from the RequestSecurityToken class when compared to WIF.
    Firstly there’s no InformationCardReference field so how can I determine whether this is an info-card request?
    Secondly what happened to DisplayClaims?

    Many thanks,

    • Well – I wouldn’t be surprised if they are removed. You could somehow parse the raw WS-Trust message – but not sure where to start frankly.

      You can stick with WIF – it is a supported Windows component.

  2. Thanks for the quick reply – I agree sticking with WIF is a better move for now – just wanted to take a look at the 4.5 bits (which I can and will still do in my relying-party app of course)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s