Conceptual overview of WCF security model?

Question

I'm working with WCF at the moment and attempting to implement a custom security model based around an API key and signature (similar to how Facebook/Flickr/OAuth etc. work).

There are a while bunch of classes like ServiceAuthorizationManager, SecurityToken, SecurityTokenValidator, IAuthorizationPolicy and so on, but I can't seem to find any documentation about how these work together or what the conceptual security model is for WCF.

I'm really looking for something that details how these classes fit and work together, so I can understand where to extract credentials, where to validate they are correct, where to decide what level of access to give them and so on. If there is a book I can buy about this stuff it would be even better, as all the WCF books I have found skip over all this stuff entirely.

Is there any documentation out there?

Answer 1

Take a look at Juval Lowy's excellent "Programming WCF Services," 2nd Edition:

Here's the link to Amazon's page on it.

Chapter 10 is completely devoted to security.

Microsoft has released a WCF Security Guide - a free(!) eBook. You can find it here.

That's an awful lot of information to wade through. Good luck!