none
WCF Token authentication - How to create token and how to validate token at server? RRS feed

  • Question

  • Hi,

    I am implementing the token authentication for a hybrid mobile app(cordova-ionic framework) that will communicate with a WCF service.

    Below are the steps I am planning to do:

    1. Mobile app will send the login id and password to wcf service
    2. After user id and password validation with database, (Question 1: )How can create the token at wcf service that will send back to the mobile for further communications?
    3. The received token at mobile will be added with the http header for further communications with server
    4. At the wcf server (when doing further communications), after taking the token from header, (Question 2: )how can be validate the token? Please help me
    5. How to implement the token expiration?

    Please help me

    (Home will not paste help links. thanks for specific answer.)

    Monday, October 12, 2015 6:53 AM

Answers

  • Hi,

    You can try 3 different options:

    1. You can use some external security token service (STS). In this case you can use WSFederationHttpBinding and SAML token. So your mobile app will redirect user to STS to authenticate, and will use token provided by STS to communicate with your WCF.

    2. If you don't want to use STS, you can create your own token: https://msdn.microsoft.com/en-us/library/ms752249.aspx?f=255&MSPPError=-2147217396.

    3. The easiest way will be to construct your own token by concatenating username and current date time to one single string and then encode it. It will be your token Mobile app receives it after sending username password. Later mobile app will send this token, and WCF will decode (it means token is valid), check date time to see if token is expired, it can also check username, that this user still exists. Since token is encoded string, no one can create new token, unless it knows encoding key.

    • Marked as answer by vrad Tuesday, October 13, 2015 2:56 AM
    Monday, October 12, 2015 7:48 AM

All replies

  • Hi,

    You can try 3 different options:

    1. You can use some external security token service (STS). In this case you can use WSFederationHttpBinding and SAML token. So your mobile app will redirect user to STS to authenticate, and will use token provided by STS to communicate with your WCF.

    2. If you don't want to use STS, you can create your own token: https://msdn.microsoft.com/en-us/library/ms752249.aspx?f=255&MSPPError=-2147217396.

    3. The easiest way will be to construct your own token by concatenating username and current date time to one single string and then encode it. It will be your token Mobile app receives it after sending username password. Later mobile app will send this token, and WCF will decode (it means token is valid), check date time to see if token is expired, it can also check username, that this user still exists. Since token is encoded string, no one can create new token, unless it knows encoding key.

    • Marked as answer by vrad Tuesday, October 13, 2015 2:56 AM
    Monday, October 12, 2015 7:48 AM
  • Thank you ash0ru.

    I choose 3rd option.

    Tuesday, October 13, 2015 2:56 AM