This post on authentication and authorization is from Premier Developer consultant Marius Rochon.
Claims list included in the ClaimsPrincipal usually originate from the security token received by the application as part of user authentication (SAML, OpenIDConnect id token) or access authorization (OAuth2 bearer access token). However, sometimes there is a need to modify that list with claims derived from other sources:
- Attributes retrieved from custom databases
- Attributes not initially included in the security token but which can be retrieved from the Security Token Service (e.g. Azure AD via Graph API).
Read the rest of the post on Marius’ blog here.