using System.Collections.Generic;
namespace OwinFramework.InterfacesV1.Middleware
{
///
/// Defines the functionallity exposed by the identification feature that
/// can be used by other middleware compoennts.
///
/// Identification is the business of figuring out who made this request. The
/// caller can be a user, an application, a trusted third party system etc.
///
public interface IIdentification
{
///
/// Returns a unique identifier for the user that made the request.
///
string Identity { get; }
///
/// Returns true if the user could not be identified from the request. In this
/// case the Identity property will still contain a unique value, but this value
/// can change with subsequent requests from the same user.
///
bool IsAnonymous { get; }
///
/// This is a list of claims made by the caller. For example the caller can
/// claim to have an email address, a real name, an avatar etc. It is also possible
/// to use claims to represent permissions, for example the user can claim to be
/// an administrator. Each claim has a claim status that indicates if the claim
/// was supported by evidence, and if that evidence has be verified.
///
IList Claims { get; }
///
/// Users can create additional methods of authenticating against their account,
/// for example by generating an API key which allows other applications or
/// services to access their account. These additional authentication methods
/// can be restricted by passing a list of "purposes" that they can be used for.
/// For example your application can define purposes of "read my messages" or
/// "manage my calendar" then API tokens can be created that only allow the
/// third party application to read my messages for example.
/// When the user logs in using their own credentials this property will be
/// null or an empty list. When a third party application logs in using a
/// restricted access token, the list of things that they are allowed to do
/// will be available in this property.
///
IList Purposes { get; }
}
///
/// Represents a claim made by the entity that is requesting access to a protected
/// resource.
///
public interface IIdentityClaim
{
///
/// This is the name of the claim the entity is making. This can be one of the
/// constants defined in the ClaimNames class or any other name that is not
/// already defined here.
///
string Name { get; }
///
/// The value associated with this name. For example if the Name property
/// contains ClaimNames.Email then this value property will contain the
/// email address.
///
string Value { get; }
///
/// Indicates if the identification system has verified this claim. Note that
/// the claim can be verified at the point where the entity requests access, or
/// it can be stored with the identity. For example a user can log in with a
/// username and password, so their username is a verified claim, then they
/// can specify their email address, which is an unverified claim. The system
/// can send an email to the email address and if the user clicks a link in
/// the email and verifies their username and password, we can now flag the
/// email address as verified. Next time the user identifies via username and
/// password, the identiity middleware can include a verified email claim because
/// it knows that the verified email address is associated with that username.
///
ClaimStatus Status { get; }
}
///
/// Specifies the wll known claim names
///
public static class ClaimNames
{
///
/// The email address of the identity
///
public const string Email = "email";
///
/// The username or display name of the identity
///
public const string Username = "username";
///
/// The domain name that the user was logged into. For example
/// for active directory intrgration if the user logged into
/// a domain controller and presented a kerberos token as evidence
/// then this would be a verified claim to be a member of that
/// active directory domain. If the request is from another
/// trusted organization in a B2B transaction, this can also be
/// the dmain name of the organization requesting access
///
public const string Domain = "domain";
///
/// The last name of a real person
///
public const string Surname = "surname";
///
/// The first name of a real person
///
public const string FirstName = "firstname";
///
/// The phone number of a real person
///
public const string PhoneNumber = "phone";
///
/// The year in which the person was born
///
public const string BirthYear = "birth-year";
///
/// The month in which the person was born
///
public const string BirthMonth = "birth-month";
///
/// The day in which the person was born
///
public const string BirthDay = "birth-day";
///
/// The name of the software that is requesting access
///
public const string Application = "application";
///
/// The machine name of the server that is requesting access
///
public const string Machine = "machine";
///
/// The V4 IP address of the identity
///
public const string IpV4 = "ip-v4";
///
/// The V6 IP address of the identity
///
public const string IpV6 = "ip-v6";
}
///
/// When an entity submits a request to a secure resource, it makes claims about its
/// identity and supports those claims with evidence. For example a user might claim
/// to have a certain username, and support that claim by providing the password as
/// evidence. If the evidence is accepted then the user's claim is verfied. The user
/// might also make a claim about their email address, but we can't verify this claim
/// until we send an email to this address and have the user click a link in the email
/// and type in their password.
///
public enum ClaimStatus
{
///
/// This means that claim verification is pending, od the software does not
/// have a mechanism to verify the claim.
///
Unknown,
///
/// This status means that the software took steps to verify the claim, and it
/// can be trusted by the application.
///
Verified,
///
/// This means that the claim has no evidence to support it, or the claim
/// verification failed. The claim can not be trusted.
///
Unverified
}
}