tags:

views:

415

answers:

3
+3  Q: 

Using OpenID with a WebService: Best way to authenticate?

I'm looking for some guidance on the best way to authenticate to my WebService. Right now, I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService.

The MVC website uses OpenID to authenticate users, and during the development phase, we have simply been passing the user's OpenID Claimed Identifier to the WebService to authenticate. Obviously this is not what we will be releasing to the customer when we go live.

So my question is this: What's the best way to authenticate to the WebService?

Some of the API's I've played around with use Authentication Tokens. Another idea we had was to, upon connection to the WebService, pass the client an encryption key which they could use for all transfers.

I'm thinking out loud here, and again, any help is greatly appreciated! Thanks!

...

UPDATE: Right now I have created a custom SoapAuthenticationHeader which has an OpenIdURL property. This is used on all service calls to authenticate the user. The problem is two-fold:

  1. If a hacker know's a user's OpenIdURL, they can easily gain access to the WebService.
  2. The OpenIdURL is currently passed in plain-text.

So I could pass an encryption key to the client upon connection to the WebService, and have the client encrypt the OpenIdURL in the SoapAuthentication header. But I'm not sure about how to best go about that...

+3  A: 

You might want to take a look at OAuth:

http://oauth.net/

As it is geared specifically for this scenario (Open ID isn't, really).

There is another question on SA which asks about the best way to secure a web service, and Open ID and OAuth are both discussed:

http://stackoverflow.com/questions/386973/web-service-authentication-using-openid

casperOne  2009-07-08 14:02:26
When you say "this scenario", which one are you referring to? ASMX services?
John Saunders  2009-07-08 14:05:04
Thanks, this has pointed me in the right direction. I want to see what the rest of the community has to share, before I mark this as answered.While I don't think I need all the functionality that OAuth has to offer, the Protocol Workflow page offers some great information about Request Tokens and Access Tokens.
mbmccormick  2009-07-08 14:08:17
@John Saunders: I'm referring Open ID vs OAuth, not really ASMX vs WS-* web services. Open ID isn't really meant for use with API's, whereas OAuth is.
casperOne  2009-07-08 14:08:29
A: 

ASMX web services (which Microsoft now considers to be "legacy") have no ability to use OpenID for authentication. They can only use what IIS provides to them. You could possibly add a SoapExtension that would do OpenID authentication for them, but I wouldn't spend time there.

I don't know enough about OpenID to be certain, but I suspect it can integrate with WCF through federated security. I'm sure someone else will answer with details on that.

John Saunders  2009-07-08 14:03:25
My apologies. Right now I have created a custom SoapAuthenticationHeader which has an OpenIdURL property. This is used on all service calls to authenticate the user.
mbmccormick  2009-07-08 14:04:39
Could you update your question with that information? In particular, if you've got this header, what more are you looking for?
John Saunders  2009-07-08 14:06:44
What, "legacy"? Oh, Microsft... ASMX WebServices are great! :)
mbmccormick  2009-07-08 14:14:13
They're great if your needs are simple. In any case, they've been replaced by WCF, and now considered legacy. See http://johnwsaundersiii.spaces.live.com/blog/cns!600A2BE4A82EA0A6!860.entry.
John Saunders  2009-07-08 14:29:41
A: 

This isn't really an answer, but I can't leave comments...

You say "I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService".

I might be way off base here, but the language implies that these two sit on the same server. If so, why can't you just share the users database and the cookie token?

James

James S  2009-07-08 16:07:44
These may or may not sit on the same server. There will be instances where both happen.
mbmccormick  2009-07-08 19:28:45

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?