none
How To Enable WCF REST Endpoint with Cross Domain Authentication RRS feed

  • Question

  • Hello Everyone! 

    We're attempting to create a new authenticated REST endpoint to match our long-existing authenticated WCF endpoint in our self-hosted Windows Service. The existing WCF endpoint is accessible cross domain without issue. However, we have not been able to figure out how to get past various security limitations in configuring the REST endpoint, and hope you can be of assistance. 

    Rather than post what we've done, since we've put extensive time into this and have literally tried every suggestion on every related link Google pulled up, I'm going to say what we want to do and hope someone who has done it before can lead us in the right direction.

    We have a REST endpoint using the webHttpBinding. This is exposed from a Windows Service on a local network, but is meant to be accessible by any device on the network, assuming the correct username and token is sent with the request. Clients accessing the service could be a jquery script, Android app, iOS app, etc. They may also connect from off network from client apps, if the router is configured for port forwarding.

    That seems to be the big stumbling block, as things like crossDomainScriptAccessEnabled results in the message "Cross domain javascript callback is not supported in authenticated services". We found a way to get it to accept cross domain authenticated requests by predefining approved client address, but that's useless when those client addresses are unknown and variable.

    So, to sum it up in one sentence: how do we configure WCF to create a REST endpoint that supports username authentication cross domain without predefining acceptable client addresses?

    Thanks in advance!!

    Saturday, March 12, 2016 10:46 PM

All replies

  • Hi,

    Based on your description, I search related web sites about rest wcf service with authentication cross domain find some similar thread (link as below) for your reference.

    https://social.msdn.microsoft.com/Forums/en-US/4fcaf1c6-1472-43ee-95c2-0f7823bae87e/jquery-crossdomain-call-to-wcf-service-svc-that-use-custom-authentication?forum=adodotnetdataservices

    http://stackoverflow.com/questions/13413561/wcf-authentication-over-rest

    Best regards.

    Monday, March 14, 2016 9:44 AM
  • Hello! Appreciate the response but we've tried that link. Those examples are how to enact method-level authentication, but we're looking to do it properly on the transport layer via standard REST credential passing. As we have multiple endpoints (WCF, REST) using the same service methods, authentication must happen before the service method is even called.

    We're really looking for someone who knows how to do this, rather than links, because I'm pretty sure we've read (and tried) every link that we could find on the subject.

    Thanks!!!

    Monday, March 14, 2016 7:27 PM
  • Hello,

    For how to implement the username authentication for your WCF Rest service, first we need to install the Service certificate which will be used as service credentials for message protection. For how to install the Service certificate when the WCF service is hosted in the Windows Service, please try to refer to this article. After that we need to supply a custom UserNamePasswordValidator for implementing the username authentication. For the detailed information, please check(Secure Self-Hosted WCF REST Services with a Custom UserNamePasswordValidator).

     

    For how to enable the Cross Domain Authentication with the WCF Rest Service, we can try to add some code snippet like below in your service method:

    public string YourServiceMethod(){  
     //for all cors requests  
     WebOperationContext.Current.OutgoingResponse.Headers  
         .Add("Access-Control-Allow-Origin","*");  
     //identify preflight request and add extra headers  
     if (WebOperationContext.Current.IncomingRequest.Method == "OPTIONS") {  
          WebOperationContext.Current.OutgoingResponse.Headers  
              .Add("Access-Control-Allow-Methods", "POST, OPTIONS, GET");  
          WebOperationContext.Current.OutgoingResponse.Headers  
              .Add("Access-Control-Allow-Headers",  
                   "Content-Type, Accept, Authorization, x-requested-with");  
          return null;  
      }  
      return "Something";  
    }  
    

    For more information, please check:
    #Cross Origin Resource Sharing for c# WCF Restful web service hosted as Windows service:
    http://stackoverflow.com/questions/16024347/cross-origin-resource-sharing-for-c-sharp-wcf-restful-web-service-hosted-as-wind .

    Best Regards,
    Amy Peng

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.




    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Proposed as answer by Zhanglong.Wu Sunday, March 20, 2016 3:03 PM
    • Unproposed as answer by ChrisCicc Sunday, March 20, 2016 8:05 PM
    Thursday, March 17, 2016 9:35 AM
    Moderator
  • Hey Amy, thanks for the reply. Unfortunately we're well beyond the steps you list here. Adding the headers isn't the issue.

    Further, the two links you provided are for WCF services, not REST services (though one incorrectly lists that it's for REST, it's actually for SOAP). We've also already seen both of those posts. That's why we're looking from help from someone who has actually successfully done this, rather than links to blog posts.

    We do have a secure WCF service fully implemented without issue, securing the REST endpoint is the issue.

    Thanks,

    Chris

    Sunday, March 20, 2016 8:10 PM
  • Hello,

    I also want to find a example about implementing the rest service with username authentication. I just find your thread and I have tried the following link. It works for me:
    Secure Self-Hosted WCF REST Services with a Custom UserNamePasswordValidator(http://blog.tonysneed.com/2012/05/28/secure-wcf-rest-services-with-a-custom-usernamepasswordvalidator/) new account can not add link. :(

    Sunday, April 10, 2016 2:45 PM
  • We were unable to get this to work in a CORS context.

    However, we did successfully implement a custom authentication system using our own header.

    Sunday, April 10, 2016 6:53 PM
  • finally i found a solution, thank you!
    Sunday, March 18, 2018 1:11 PM
  • What was your solution. I am having a really difficult time with this myself. Any help would be greatly appreciated

    Wednesday, October 24, 2018 7:03 PM