WCF Service Authentication with Custom Username & Password RRS feed

  • Question

  • Hello All,

    I have to implement public WCF service which can be consumed by known client. I also want to authenticate client using custom identity (not windows authentication).

    I have explored WCF security for authentication with custom Username and Password. Since I have to implement the solution for Hetrogenious network, I cannot use windows authentication.

    I have found two ways through which we can incorporate custom authentication in WCF. I have few queries on each of the approaches as below.

    1) Through "UserNamePasswordValidator" class. We can create custom username password validator and validate user from the database. This approach is perfectly fine to implement SSO (Single Sign On) as each request has credentials in SOAP header. Client doesn't have to validate himself before each request.

         Query 1: Is this approach is easily extensible for Authorization as well? Since authentication happens before service call by getting credentials from the SOAP header. Also credentials are not a part of ObjectContext, I have feeling that authorization approach is not straightforward.

         Query 2: To follow this approach we need to use Brokered Authentication pattern and for this we need third party certificate. Is this advisible to go with this approach as we have to add cost of certificate in a project.

         Query 3: If we use message security to encript the message why we need a certificate? Just for Client identity? Cann't we just use self signed certificate in production since we know who will consume this service?

    2) Through "ServiceAuthenticationManager" class. I know only one approach using this class and that is to implement solution using Direct authetication pattern. Also after authenticate user, we need to supply it's identity or token through custom header for all subsequent request coming to service to implement SSO (Single Sign On)

         Query 1: Is this a valid approach for public service? Should we enforce user to supply credentials (or token once provided by our service once it is authenticated) via custom header in each request?

         Query 2: This approach doesn't required certification and so we can save its cost to the project. Is this enough reason to pick this approach?

    Personally I feel the first approach is easy to implement and it is more standard way to implement authentication in WCF service but the only problem is we need third party certificate.

    Please answer my queries and if possible suggest the best approach for my requirement.



    Monday, January 21, 2013 8:26 AM

All replies

  • I know there are three ways you can used at service side to validate the username and password credentials of client, Windows authentication, MembershipProvider and custom UsernamePasswordValidator to validate.

    There is an example on MSDN to use a custom User Name and Password Validator

    Hope this provide some help.

    • Edited by MiniPeter Wednesday, January 23, 2013 7:40 AM
    Wednesday, January 23, 2013 7:37 AM