Is there a way to pass thru user authentication to external odata in Lightswitch? RRS feed

  • Question

  • Hi,

    I am looking at setting up multiple Lightswitch applications running forms authentication. I have authentication setup for SSO and I am sharing the the membership and profile databases without issue.

    I am connecting a Lightswitch app 'LSConsumer' to the Odata feed of another Lightswitch app 'LSProvider'. When I attached the odata feed I supplied a user name and password (say 'serveruser') to allow LSConsumer to consume LSProvider.

    Since LSConsumer is authenticated to LSProvider via serveruser, all of the permissions and security checks running on LSProvider are run as serveruser - not the actual user logged in to LSConsumer.

    All of the entities consumed by LSConsumer are themselves exposed by LSConsumer in its odata feed. This presents a potential security risk because those feeds are exposed with whatever permissions serveruser has with LSProvider. Of course, those feeds can have security applied at LSConsumer, but the apparent solution requires duplication of permission and security code from LSProvider - a potentially large code management issue.

    Is there any way that LSConsumer could authenticate to LSProvider using some kind of dynamic or pass thru authentication? Something like that could allow using the actual user's credentials instead of some utility user like 'serveruser'.

    For a workaround, I can attach directly to LSProvider's intrinsic database from LSConsumer - bypassing all permissions and security code on LSProvider. I would then need to duplicate all of the permissions and security code for any entities I choose to expose on LSConsumer. This is a code management heavy solution, but it would work.

    Am I missing a fundamental detail here?

    Any feedback is welcome.


    Thursday, September 12, 2013 1:16 AM


  • Perhaps you can make a WCF RIA Service that connect to the external OData feed and uses code from here:

    Calling LightSwitch 2011 OData Using Server Side Code

    and here:

    A Full CRUD LightSwitch JQuery Mobile Application

            partial void OnContextCreated()
                this.SendingRequest +=
                   new EventHandler<SendingRequestEventArgs>(OnSendingRequest);
            void OnSendingRequest(object sender, SendingRequestEventArgs e)
                // Get the Forms auth cookie
                var AuthCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
                if (AuthCookie != null)
                    Cookie objCookie = new Cookie();
                    objCookie.Domain = HttpContext.Current.Request.Url.DnsSafeHost;
                    objCookie.Expires = AuthCookie.Expires;
                    objCookie.HttpOnly = AuthCookie.HttpOnly;
                    objCookie.Name = AuthCookie.Name;
                    objCookie.Path = AuthCookie.Path;
                    objCookie.Secure = AuthCookie.Secure;
                    objCookie.Value = AuthCookie.Value;
                    ((HttpWebRequest)e.Request).CookieContainer = new CookieContainer();

    Unleash the Power - Get the LightSwitch HTML Client book


    • Marked as answer by Angie Xu Monday, September 23, 2013 3:12 AM
    Thursday, September 12, 2013 1:49 PM

All replies