views:

33

answers:

3

I am writing a web service that acts as a proxy to many other services, and for each of these services I need to pass along the user's password for that particular service.

I'd like to keep the password encryption details out of the main part of the service and let the client deal with another specialized part of the service (let's call it the "encryption service" for now) in order to obtain a password token beforehand. The client and server agree on an encryption method, the client uploads the password to the encryption service, and the service returns an ID that can used with the main service when specifying the value of passwords, etc.

The main service has knowledge of the all passwords uploaded to the encryption service for the duration of the session. It has no knowledge and doesn't care what encryption method was used.

My question is: what terminology should I be using here? There must be some system in existence that does something similar. I am trying to determine how I should name the following parts of the system:

  1. The encryption service that interns an uploaded string and returns an ID for it.
  2. The ID that is returned. (Password token?)

I'd like to stay away from the term "password" as it is too specific; this functionality can be used for general parameters that need to be encrypted that are not necessarily passwords.

A: 

It depends on the technology are you using, but you could take a look at Web Services Security UsernameToken Profile.

http://www.oasis-open.org/committees/wss/documents/WSS-Username-02-0223-merged.pdf

You can tell your consumers to send a WSSE UsernameToken in the header, regardless of their technology choice. You can then interrogate the header in your service code or via an intermediary such as an XML Gateway (or just another service, I suppose).

On the Microsoft stack, Web Service Extensions 2.0 and 3.0 have classes that implement these concepts.

If you're using something a bit more modern like WCF, you can write your a custom UserNamePasswordValidator.

http://msdn.microsoft.com/en-us/library/aa702565.aspx

Again, assuming you're using Microsoft.

Jason Alati
+1  A: 

You can have a look at http://en.wikipedia.org/wiki/Kerberos_(protocol) where Kerberos which is network authentication protocol is explained. In Kerberos, there is a session ticket concept which is similar to the id you mention. But that session ticket expires after an amount of time for security reasons.

You can also check http://web.mit.edu/kerberos/ .

Zafer
+1  A: 

If you're looking for terminology, the service is usually called a Security Token Service (also and also). Typically, the "ID" that is returned is simply called a security token or just simply a token.

Zach