How to authenticate and keep track of users with WCF/JSON?

Question

I'm implementing a service in WCF and need to have custom user authentication, by means of a username/password. This service is configured as a WebScript(JSON) service.

I would like to know if it's possible to obtain a security context so I don't have to include a hash or user/pass in every call. I know I can use a certificate for this, but I need to have the uses/pass mechanism of authenticating.

I'm going to be talking to this service using AJAX(jQuery), and it should be possible to use basic HTTP authentication.

This service will later on also expose other endpoints, for example over TCP, and this does support "proper" authentication.

There are so many ways to go for security in WCF, I feel kind of lost, and it feels like the more I read about it the less I know.

Answer 1

Given that you will be using jQuery for this (which assumes an HTTP transport), the first thing you have to do is make sure that the scheme for this endpoint is HTTPS. If it is not, then you will be in a lot of trouble, as you are subject to man-in-the-middle attacks.

This blog entry shows how to go about creating a custom username/password validator:

http://blogs.msdn.com/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx

If you are using HTTPS, then you should be able to set the security mode to transport instead of message and it should work.

That being said, for this service, if you don't want to pass the user and password every time, then you will need a session-based service on the back end, which will require the use of a cookie (but that will be handled for you in the binding).

Answer 2

In addition to using HTTPS I would recommend taking a look at this article on building REST services with WCF. There is a section on using HMAC that has some good ideas. Depending on your scenario you may also want to consider offloading auth to another provider(OpenId implementor) and just maintain a profile on your side sans password.