Tweet

David Fowler 🇧🇧🇺🇸

Jun 27 • 11 tweets • 3 min read

https://twitter.com/davidfowl/status/1540860499256119296

This thread was good because it helped clarify my thinking. There are 2 phases (for simplicity) where ClaimsPrincipal shows up:
- The authentication flow
- The authorization flow

Claims are typically used to store authentication data. #dotnet #aspnetcore 🧵👇🏾

https://twitter.com/davidfowl/status/1540860499256119296

That data is then used to look up more user information (profile data) usually store in a database/cache. This profile data usually also contains permissions and authorization rules are then run over this user for different types of application "resources".

These resources typically include (but are not restricted to):
- The HTTP endpoint
- Some business object

The authorization process usually needs access to all user profile information including permissions to do authorization checks.

ASP.NET's authentication system produces a
ClaimsPrincipal and the authorization system flows that ClaimsPrincipal to your code. This encourages users to put more things in claims as it's the only thing that flows in the first class way everywhere in the stack.

Putting more things in claims avoids more database round trips per request as the associated data is stashed at the protocol layer (the cookie, the JWT token etc). It increases the size of these tokens to avoid a potential database round trip per request.

This leads to people storing permissions in claims which makes doing authorization checks much easier as permission checks turn into checks for certain claims.
There's a philosophical debate about what should and should not be a claim and that leads to confusion.

The fact is, when the ClaimsPrincipal is used at the authentication layer, it's about the wire protocol. Data is read from the wire and turned into a ClaimsPrincipal and data is read from the ClaimsPrincipal and persisted back over the wire.

The ClaimsPrincipal is also used as an "exchange type" in .NET. It's the universal representation of an identity in the system so it's easy to pass it around everywhere.

So that leads us back to the original problem: Which user representation should developers be using for authorization checks? How does that user representation reach their authorization handlers?

This is what needs to be made clearer with docs and samples and possibly framework features.

Thanks for coming to my ted talk.

@BrockLAllen

Thanks for the insights @BrockLAllen !

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @davidfowl

David Fowler 🇧🇧🇺🇸

@davidfowl

Jun 27

COVID will be “over” when people stop posting tests results on Twitter. It’s not “normal” or “endemic” yet socially. It feels pretty inevitable at this point, there’s still a guilt associated with having it (you could have spread it unknowingly).

It’ll be “like the flu” and “normalized” socially when people stop doing that. So, IMHO Covid isn’t “over” yet…

As an example of what this “new normal” feels like: Hanging out with people and then waiting for 3-5 days to pass to see if you have any symptoms. Knowing you have to travel in a week and trying to reduce the possibility of getting it by reducing too much human infraction before.

Read 5 tweets

David Fowler 🇧🇧🇺🇸

@davidfowl

Jun 26

The oral history of Dave Cutler is a real gem:
Part 1:
Part 2:
Windows NT is a marvel of an operating system and his work has been immensely impactful on the industry at large. I also love that he's an engineer through and through.

Some gems:
- Engineers should care *deeply* about the quality of the code they write (he hated when he had bugs assigned to him).
- Coding != Software engineering. They brought strong engineering culture to Microsoft from DEC.
- Go interview elsewhere to know your worth😉.

Watching these luminaries, I see a pattern of small teams of highly capable people building largely impactful software projects.

Read 4 tweets

David Fowler 🇧🇧🇺🇸

@davidfowl

Jun 15

New feature that came out with minimal APIs in .NET 7 preview 5 (devblogs.microsoft.com/dotnet/asp-net…), the ability to declare parameter list surrogates: #dotnet #aspnetcore

You can refactor long argument lists into structs as a "zero cost abstraction". The struct's members will be bound as if they were parameters declared on the method.

It's not all or nothing, you can also do this with a subset of the parameters:

Read 5 tweets

David Fowler 🇧🇧🇺🇸

@davidfowl

Jun 15

@msftorleans

Let me take you on my @msftorleans journey. Let's say you wanted to define a class that let callers subscribe to an event C#. It could look like this: #dotnet

This implementation uses C# events, but let's be a little more verbose and define the contract for subscribing and unsubscribing callbacks:

Now we store a list of Action for subscribers, and we mutate this list when there's a new subscriber or if one is being removed. Calling DoThing will call each subscriber sequentially.

Now lets make this a little more object oriented and Java like (no shade my java people):

Read 7 tweets

David Fowler 🇧🇧🇺🇸

@davidfowl

Jun 14

https://twitter.com/davidfowl/status/1536513530400153600

I thought this was common knowledge by now, but software engineers at “big tech” and in some of the major tech hubs in the US makes lots of money. I’d encourage you to look at levels.fyi to see the potential earnings at these companies. #techtwitter #BlackTechTwitter

https://twitter.com/davidfowl/status/1536513530400153600

That said this is about potential. This site doesn’t show how many people exists at these levels, let alone how many underrepresented people exist at some of these levels.

At Microsoft about 5.6% (query.prod.cms.rt.microsoft.com/cms/api/am/bin…) of the population is black and I know, just by looking around that there are a lot fewer in the upper echelons of levels. The percentages are more abysmal the further up the chain you go.

Read 4 tweets