views:

433

answers:

2

What type of authentication would you suggest for the service that is:

  • implemented as WCF and exposed via varios enpoints (including XML-RPC)
  • has to be consumed easily by various cross-platform clients

Why?

Options that I'm aware of are:

  • Forms-based authentication for IIS-hosted WCF (easy to implement, but has horrible cross-platform support, plus it is not REST)
  • Sending plain-text username/pwd with every call (easy to use on any platform, but totally unsecure)
  • Using ticket-based authentication, when username&pwd are used to create a ticket that is valid for some time and is passed with every request (can be consumed by any client easily, but the API model is bound to this type of security)

Thanks for your time!

+1  A: 

Since you mention REST, i assume over HTTP, you could look at HTTP Digest Authentication.

However, keep in mind that XML-RPC is not RESTful. If you are going the way of WS/RPC, you might want to look at WS-Security.

Alexandros Marinos
+1  A: 

In the end I've picked the simplest approach: Web services are implemented as simple stateless SOAP services, where username and password get passed with every request.

Product page

Rinat Abdullin