|
InputClaims |
|
TransformationClaimType |
Description |
|
plaintext |
The string to hash |
|
salt |
The optional salt for the hash |
|
InputParameters |
|
Id |
DataType | Value |
|
randomizerSecret |
string | The name of a tenant key |
|
OutputClaims |
|
TransformationClaimType |
Description |
|
hash |
The hash computed by the transformation |
|
Example |
This example defines a ClaimsTransformation of the ‘Hash’ type called ‘HashPasswordWithUserId’. A claim called ‘password’ in the policy schema is hashed using a claim called ‘userId’ as salt. Because the hash is salted this way, two users with different userIds but the same password always end up with different hashes. This makes it impossible for an evil insider to insert the hash of a password he knows into another user’s record and successfully log in as the second user.
In addition, the InputParameters statement causes the password to be salted by a secret key created by the tenant called, in this case, ‘AccountTransformSecret’. This means that even if two tenants have users with the same userIds and passwords, the hashes produced will be different. Further, it will be impossible to play passwords for a given userId against a known hash in order to discover the password.
The output of the transformation is put into a claim called ‘hashedPassword’ in the policy schema.
<ClaimsTransformation Id="HashPasswordWithUserId" TransformationMethod="Hash"> <InputClaims> <InputClaim ClaimTypeReferenceId="password" TransformationClaimType="plaintext" /> <InputClaim ClaimTypeReferenceId="userId" TransformationClaimType="salt" /> </InputClaims> <InputParameters> <InputParameter Id="randomizerSecret" DataType="string" Value="AccountTransformSecret" /> </InputParameters> <OutputClaims> <OutputClaim ClaimTypeReferenceId="hashedPassword" TransformationClaimType="hash" /> </OutputClaims> </ClaimsTransformation>