ASP.NET Identity Core makes a vital shift in the way that authentication works with the previous versions. In earlier versions, current users of the request are of the IPrincipal type that can be retrieved through the HttpContext object, whereas with ASP.NET Core Identity, the user is of the ClaimsPrincipal type that implements IPrincipal. In previous versions, authorization was typically role-based, whereas now it's completely claims-based and known as ClaimsIdentity. The ClaimsIdentity object contains a list of claims that the user has, for example, first name, last name, e-mail address, bank account, and phone number are some of the popular claims, but there are many more. A claim is nothing but a key value pair that can be defined using the Claim object. Claims are used to represent the properties of the user that can be used further for authorization purposes.

The ASP.NET Core Identity system is integrated with the ASP.NET platform. You can add the Authorize attribute on any controller or action method and secure that based on the user, user's role, user claims, or through custom policies. This Authorize attribute is responsible to validate if the user is authorized to execute that controller or action method. When the user is authenticated, a cookie is set on the browser that contains the list of claims that the user has, and it can be retrieved by calling the User.Claims method.