WCF authentication service

Question

Hi,

I am relatively new to the WCF world so my applogies for the newbie question. I am currently designing a layer of WCF services. One of them is an authentication service, so I came up with the following authentication mechanism:

IUserService.TryAuthenticateUser(string username, string password, out string key)

Basicly the user tries to authenticate and if successful - he/she receives a sessionkey/securitykey/whateverkey... the key is then required for every other "WCF action" e.g.

IService.GiveMeMyFeatures(string key);
IService.Method1(string key);

This mechanism looks extremely intuitive for me and is also very easy to implement, so what bothers me is why I cant find similar WCF examples? This unique key (which is practically a session key with wcf-side expiration and all) can then by used from the various applications, according to the application's architecture: for ASP.NEt it can be stored in a cookie, for Winform/WPF/Mobile I guess it can be stored in the form-class in a field and so on...

So here comes question number 1: What do you think of this method?

I also read, that I can use the build-in ASP.NET Authentication Services (with membership providers etc... if I understood correctly). From architecture point of view I dont really like this method, because when authenticating from an ASP.NET page the workflow will be like this: ASP.NET -> WCF -> ASP.NET Authentication Service -> Response

In this scenario one could also bypass the WCF layer and call the auth. service methods directly from the asp.net page. I know that by going thru the WCF layer for every authentication request I will lose some performance, but it is important for me to have a nice, layered architecture...

And here is querstion number 2: What are the advantages/disadvantages of this method over the first one, and why is it so popular, when from architecture point of view it is kinda wrong?

I also read, that I can send user credentials for every WCF method call and use the build-in mechanism to authenticate and respond properly to the request.

Q3: What do you think if this method?

And to sum up - obviously there are many authentication methods, but which one do you think is best and most generic (considering that the WCF services will be called from asp.net/wpf/mobile/etc...)?

Thanks is advance :)

Answer 1

The reason you can't find examples it's not best practice - it's turning something that should be stateless, web services, into something stateful, and something that will not load balance well at all.

As web services already have standard username and password facilities, supported by almost every SOAP stack (excluding Silverlight) that's the way to go. You can use the standard .NET role based security model to protect your methods with this approach as well.

Answer 2

Agree with blowdart. Not sure how you're using this, but if it's going across the wire then I'd be concerned about man-in-the-middle or "replay" attacks. . .

Answer 3

I have a similar scenario.

I have quite a few WCF services, but I only want to authenticate the user once, as it is expensive.

So let's say they create a channel to IServiceOne, and with this they pass their authentication details and are authenticated.

They then create a channel to IServiceTwo.

However I do not want them to now re-authenticate if they are connecting to the same server.

I am using NetTcpBinding and all the services live under the same TCP port, so surely there is some way of identifying that the user is already connected and authenticated?