Hi, I have a several part question regarding authorization. I have a WPF ClickOnce application. It talks to a few WCF Services. Users will be on the VPN or domain authenticated. If a user in on the VPN, the application will prompt for credentials and impersonate using those credentials. I'm authenticating users using System.DirectoryServices.AccountManagement.
Now I need to implement authorization. I would like to use windows domain accounts and map the domain acocunts to Roles or Groups.
0.) What is the recommended approach to authorization for the scenario above? I see Microsoft provides WCF Role Services. I don't see any advantage to calling a WCF Service rather than an API (at least for my application). The authorization implementation will be used only by my application which is completely in .NET. I'd rather avoid the deployment and performance costs of using another WCF service unless there is some unseen benefit (like no other option).
1.) Using WCF Authorization Services, is it possible to impersonate a user when calling client.GetRolesForCurrentUser()?
1.) What is the difference between Roles and Groups? I tried finding an equivalent library for the functionality WCF Authorization Services provides (ie client.GetRolesForCurrentUser()). I did find the UserPrinciplal::GetGroups() method. It returns Groups (who knew) that seem to be essentially the same, but don't seem to be tied to the domain.
2.) Are there some other libraries for authorization you are using that I should consider?
3.) Another alternative seems to be the Client Application Services. It looks like it would still require a web service. Since I don't need the multiple application support or the authentication piece, It feels like overkill. Thoughts?