locked
WCF - MVC Authentication Question RRS feed

  • Question

  • The solution I'm building consists of:
    - Presentation layer: MVC 3; Controller calls WCF REST Services, Model = presentation model (domain model, repository, ... sits in WCF part)
    - WCF REST Services

    So far so good this architecture ... but I'm completely stuck regarding Authentication/Authorization (I would like using Forms Authentication). Users can authenticate in the MVC app. But how should I solve the additonal problem about authenticating to the WCF REST services? If on the WCF side there's no authetication someone can directly access business logic, data, ...?

    Thanks.

    Tuesday, April 5, 2011 8:50 AM

Answers

  • 2. The implementation of the service can be reused. The difference between MVC and WCF REST is simply how the service contracts are defined. As you know, a controller supports almost all HTTP verbs, the data format can be described in XML, JSON, etc, and you can use routing to control the URI, so MVC provides you most of the infrastructures to build a REST service. You may want to read http://msdn.microsoft.com/en-us/magazine/dd943053.aspx. Of course WCF REST still offers several advantages over MVC. For example, it supports automatically selecting a response format.

    3. If your WCF REST service and MVC REST service provides the same set of API (that is, the same contract), to a JavaScript client (or any other clients), they're exactly the same service. WCF and MVC are just two ways to build REST services.


    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    • Marked as answer by Yi-Lun Luo Monday, April 11, 2011 8:58 AM
    Friday, April 8, 2011 1:36 AM

All replies

  • Hello, if you're using Windows authentication, you can enable impersonation on the MVC side. This allows the MVC application to run in the context of the request user, and thus pass the user's credential to the WCF service. If you're not using Windows authentication, I suggeset you to adopt a standard REST authentication mechanism like OAuth. The essential idea of OAuth is to delegate the authentication to a trusted identity provider. The user first performs authentication against the identity provider, which returns a token to the user. Then the user sends the token to the actual service (in your case, the MVC application). Since the actual service trusts the identity provider, it thinks the user has been authenticated. It can even send the token to external services (like your WCF service). If the external service also trusts the identity provider, it will also think the user is authenticated. Of course the identity provider should be well written, so no one can forge the token. The problem is to find such an identity provider. You can build your own, but it is recommended to use an existing identity provider, such as Windows Live ID, Windows Azure AppFabric ACS, etc.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    Wednesday, April 6, 2011 2:38 AM
  • Thanks.

    In your case, if I understand well, that would mean logging-in (authenticate) with an identity provider (own build or windows live id, ...) and not authenticating in the MVC application? I think this would be too complex for the app I'm developing.

    (Standard) Forms Based authentication would be no option? Something like: logging-in in the MVC app with Forms Based authentication and accompanying the userid/passwd to every call made to the WCF REST service? Maybe too simplistic?

    Or is there another way to still using WCF REST services without the complexity of authentication/authorization? Maybe not using MVC presentaion layer but instead developing only pure html pages (with javascript, jquery calls to the WCF REST services)? Or are there maybe other possible options/solutions?

    The reason why I want to pursue with WCF (REST) services is re-usability. But in case it becomes too complex I'll take a simpler road and go for a pure MVC (presentation layer) + domain layer (entities, ...) + infrastructure layer (EF, repositories) abandoning the extra WCF layer (application/service layer) that normally sits before my domain/infrastructure layers.

    Thanks.

    Wednesday, April 6, 2011 6:57 AM
  • Well, you can just store the user's username/password in the MVC application using plain text and then send it to the WCF service. But of course this is not a very secured solution. You can also remove one of the services. MVC controller itself can serve as a REST service. And JavaScript clients can work with most REST services without too much efforts. So you can either remove MVC or WCF.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    Wednesday, April 6, 2011 9:33 AM
  • Thanks.

    1. you can just store the user's username/password in the MVC application using plain text and then send it to the WCF service. But of course this is not a very secured solution. -> as you mention probably not a good solution
    2.  You can also remove one of the services. MVC controller itself can serve as a REST service. -> so in fact my Controllers would take the responsabilities of the WCF REST services (calling infrastructure, domain layers)? Do you know of any good documentation about REST service with MVC?
    3. And JavaScript clients can work with most REST services without too much efforts -> is it practice recommended using the javascript clients directly with WCF REST services or should I eventually use an MVC javascript implementation (in fact another technology and thus a complexity)?

    Thanks.

     

    Wednesday, April 6, 2011 10:15 AM
  • 2. The implementation of the service can be reused. The difference between MVC and WCF REST is simply how the service contracts are defined. As you know, a controller supports almost all HTTP verbs, the data format can be described in XML, JSON, etc, and you can use routing to control the URI, so MVC provides you most of the infrastructures to build a REST service. You may want to read http://msdn.microsoft.com/en-us/magazine/dd943053.aspx. Of course WCF REST still offers several advantages over MVC. For example, it supports automatically selecting a response format.

    3. If your WCF REST service and MVC REST service provides the same set of API (that is, the same contract), to a JavaScript client (or any other clients), they're exactly the same service. WCF and MVC are just two ways to build REST services.


    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    • Marked as answer by Yi-Lun Luo Monday, April 11, 2011 8:58 AM
    Friday, April 8, 2011 1:36 AM
  • Service is always secure.Because  all wcf service exposes by  interface oNly.

    Tuesday, March 13, 2012 8:54 AM