locked
WCF 4.0 REST Authorization Examples

    Question

  • I am investigating using the new WCF REST functionality in .NET 4 for an upcoming project. 

    This project will likely make use of the OAuth protocol.

    I would like to understand how to implement this in .NET 4.

    I've found several examples of implementing OAuth in WCF 3.5 using the REST starter kit. However, based on what I've read so far these examples don't seem applicable to REST in WCF 4.

    All that the REST specific documentation states on the subject of security is to use SSL -- which isn't all that helpful. 

    It would be great if someone could point me to an article or provide a description of how to implement custom authorization in WCF4 REST.

    Thanks!  
    Friday, January 29, 2010 10:47 PM

Answers

  • You can copy the RequestInterceptor channel class from the WCF REST Starter Kit and use in 4.0 as is in order to do custom authentication (like OAuth). In addition, you can do custom authorization using ServiceAuthorizationManager http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthorizationmanager.aspx. Also, you can use [PrincipalPermission] at the class level to do authorization.


    T.R.Vishwanath - MSFT
    Monday, February 08, 2010 10:15 PM
  • I wanted to post an update to my original question -- in case it's helpful to anyone else.

    It turns out that it's very difficult to use OAuth from within the ServiceAuthorizationManager, primarily because OAuth needs access to the incoming request's url, query parameters, and form payload. 

    I found it difficult to get at the form payload from within the ServiceAuthorizationManager, which made OAuth within WCF a non-starter.

    The good news is that WCF REST operates within IIS7 and can share the current context with ASP.NET based code. So I was able to make use of the Magdex OAuth library (which runs via an httpmodule) -- http://lab.madgex.com/oauth-net/.

    I had to make some tweaks to the Magdex library to get it working.

    Out of the box it does not support 2-legged OAuth so I had to subclass some of their service provider code to get this to work.

    Also, in this subclass I changed the Magdex service provider to store the resulting OAuthContext in the httpcontext so that I could check the OAuth status from within the WCF ServiceAuthorizationManager. 
    • Marked as answer by jawg Thursday, March 18, 2010 1:15 PM
    Thursday, March 18, 2010 1:15 PM

All replies

  • Hi there,

    Please take a look at this document, where it explains how to implement OAuth for REST services: http://weblogs.asp.net/cibrax/archive/2008/11/14/oauth-channel-for-wcf-restful-services.aspx

    Also, you will find more REST forum questions in this site: http://forums.asp.net/1180.aspx

    Hope this helps.
    Saturday, January 30, 2010 7:53 PM
    Moderator
  • Thanks very much for your suggestion.

    I've actually looked at that solution. It leverages the REST starter kit for WCF 3.5. It primarily uses the RequestInterceptor made available in the starter kit.

    Since the REST Starter kit is not available for .NET 4.0 (and will not be), I don't see how to use that approach in WCF4 -- especially as I have been unable to find the equivalent of the RequestInterceptor. 

    Perhaps the RequestInterceptor is in WCF4 and I just haven't located yet?

    Or, perhaps there is another recommended approach that I should be using?

    Thanks again.
    Monday, February 01, 2010 3:04 PM
  • Hi,

    You are right that for the moment RequestInterceptor is not in 4.0.

    However, I do hear a lot of customer need for this; we'll consider adding one in the near future.  No promises - but we'll definitely look into this.
    Serialization
    Wednesday, February 03, 2010 7:06 PM
  • Thank's for the response.

    Is there a recommended way to provide for custom authorization of rest services in 4.0?
    Wednesday, February 03, 2010 7:19 PM
  • It would be great to get some feedback on this question -- this seems like pretty fundamental functionality.

    Without the RequestInterceptor, is there another way to implement custom authorization inside of WCF REST 4.0?

    If WCF 4.0 REST doesn't offer a way to do custom authorization, then at a very basic level it's not going to be a workable solution for us (or, I imagine, for a lot of other people).  
    Monday, February 08, 2010 2:25 PM
  • You can copy the RequestInterceptor channel class from the WCF REST Starter Kit and use in 4.0 as is in order to do custom authentication (like OAuth). In addition, you can do custom authorization using ServiceAuthorizationManager http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthorizationmanager.aspx. Also, you can use [PrincipalPermission] at the class level to do authorization.


    T.R.Vishwanath - MSFT
    Monday, February 08, 2010 10:15 PM
  • Thanks for the suggestion.

    I had looked at the ServiceAuthorizationManager previously and thought I was on the wrong track for REST based authorization. 

    Based on your recommendation I went back and looked at this approach some more and it does let me access the information I need.

    The full collection http headers (along with the authorization header) is contained in OperationContext.RequestContext.RequestMessage.Properties (you have to inspect the Keys attribute for the "httpsRequest" entry and use the related index to lookup the object in the Values attribute).

    Thanks again.
    Thursday, February 11, 2010 2:21 PM
  • I wanted to post an update to my original question -- in case it's helpful to anyone else.

    It turns out that it's very difficult to use OAuth from within the ServiceAuthorizationManager, primarily because OAuth needs access to the incoming request's url, query parameters, and form payload. 

    I found it difficult to get at the form payload from within the ServiceAuthorizationManager, which made OAuth within WCF a non-starter.

    The good news is that WCF REST operates within IIS7 and can share the current context with ASP.NET based code. So I was able to make use of the Magdex OAuth library (which runs via an httpmodule) -- http://lab.madgex.com/oauth-net/.

    I had to make some tweaks to the Magdex library to get it working.

    Out of the box it does not support 2-legged OAuth so I had to subclass some of their service provider code to get this to work.

    Also, in this subclass I changed the Magdex service provider to store the resulting OAuthContext in the httpcontext so that I could check the OAuth status from within the WCF ServiceAuthorizationManager. 
    • Marked as answer by jawg Thursday, March 18, 2010 1:15 PM
    Thursday, March 18, 2010 1:15 PM