I'm relatively new to WCF and would like some opinions on what's the best (or most correct) way to implement authentication on an application that exposes its' business layer operations through WCF?
Is a token supposed to be passed, encripted username/password and verified each time...or what?
Also any links would be appreciated.
Thank you
I know of one which I use: Its using the ASP.NET membership framework to do authentication with WCF. I'm currently trying to allow OpenID and other providers into the system which makes me rethink the ASP.NET membership for this type of authentication.
But if you are controlling your own accounts, I'd go with the ASP.NET membership.
WCF offers a lot of mechanisms for authentication and subsequent authorisation.
As for authentication: if you're behind a corporate firewall in a LAN, using the straight Windows credentials is the easiest - no messy username/passwords to remember and send around, it just works out of the box. This can be combined with authorisation checks against the Windows group membership system, e.g. only allow certain groups of users to perform an action.
If you're looking at internet-facing services, you have the choice between username/password schemes, or certificates. The standard username/password scheme can be checked against the ASP.NET membership system that ASP.NET 2.0 brought us, both for authentication (membership) as well as authorisation (role provider).
Certificates are great if you're dealing with a very limited set of external users, e.g. busienss partners or such. The certificate must be delivered to the client "out of band", e.g. on some other way, by disk or something. But once installed, it's seamless to use and to verify.
Juval Lowy (author of "Programming WCF Services") has a great article on MSDN on Declarative WCF Security in which he highlights his five security scenarios, how to use and secure them, and he even has a declarative extension for WCF to do this by merely applying an attribute to your service contract - pretty smarT!
One very important security consideration is that security in WCF works on two levels
Message security
Transport Security
Its good practice to use a Transport layer security to protect the communication in general, and Message layer to authenticate the user as a valid user, and approve his Privileges.
Whether you authenticate on every call is determined if the Service Contract is defined as a
I suggest using PerCall as its the most efficient use of hardware resources but this depends alot on your situation.
I recently implemented a rather large WCF service layer for some media preview services. Since we are exposing it against the internet, Windows authentication wasn't an option. Due to the fact that we already had an existing user/role system, we also decided not to use ASP.NET membership providers.
I ended up implementing a custom authentication/authorization module and using SSL as the transport layer security element. Using WCF attributes, i can check for role permissions using the standard WCF infrastructure.
Links that helped me on my way getting to the goal: