So, what is the purpose for existence of both IIdentity
and IPrincipal
, and not some IIdentityMergedWithPrincipal
? When is it not enough to implement both in same class?
Also, to understand purpose, I'd like to know where this concept comes from:
- It is originated in .Net
- There is concept of Identity/Principal as design pattern, which
System.Security.Principal
implemented in those interfaces - It is originated somewhere else and supported for compatibility
Therefore, does UserPrincipal
from System.DirectoryServices
act similarly to IPrincipal
but not implement it by accident or by intention?
P.S. I'm looking for reasoning behind idea, not benefits/controversies comparison, so please try not to start opinion-based discussion
IIdentity
is just used for the user's authenticated identity, regardless of what roles they may have.IPrincipal
is used to combine a user's identity with the authorized roles they have in a given security context.For example, you can use a third-party login provider, like Facebook or Google, to get the user's identity, but you will not get a principal from those providers, as they don't provide any roles. You can use your own application or a third-party role-based authorization provider to apply roles to, say, a
FacebookIdentity
orGoogleIdentity
. A different application can expect a different principal, with its own roles, but still use the same identity as in another application.