We are working with a vendor to develop a mobile app and plan on using WCF services to handle operations. What are some types of authentication I can use with a WCF service? Would we send a user name and password through the SOAP header? How can we accomplish this securely?
Also, this will be authenticated against our .NET membership database using the Membership classes. Thoughts? Thanks.
What O/S is the mobile device running? It seems to me that the mobile device can use Windows Authentication if the mobile app is written using a framework (such as the .NET compact framework) to authenticate, just like you would with a web application. Set up the connection to use SSL and you're golden.
Another means could be to write a challenge/response system similar to Windows Authentication - but this seems like overkill unless the mobile app is on an operating system that doesn't support Windows Auth.
If you're at all familiar with the ASP.NET MembershipProvider/RoleProvider/MembershipUser model, it's fairly easy to use once you get past the limitations their model incurs.