views:

877

answers:

2

Our system consists of a self-hosted (non-IIS) WCF service and an Asp.net website which hosts a Silverlight application. The application is supposed to do pretty much everything, the website is just a "shell" in this case.

We have a hard time figuring out how to solve user authentication securely.

To my knowledge, Silverlight can not handle windows authentication, does not have any kind of credentials object. The best we can think of, is to authenticate the user when he requests the page, which hosts the app. Then we can pass the user name to the app in its' init parameters.

That way we have a username which can be sent to the wcf service, and can serve as a base for handling roles. The problem is, anyone can call our service without a silverlight client, and pass in a user name. Also, sending unencrypted sensitive data between the WCF service and the Silverlight app is a bad idea. So, my question is:

How to authenticate the client in this scenario securely?

+1  A: 

Has anyone tried this with Silverlight 3? I have a similar situation, and want to implement authentication using message headers (I definately don't want to use ASP.Net cookies) but the solution given here seems to be outdated (doesn't compile correctly with SL3). I'm about to try find and fix the errors, was just hoping someone may either have a fixed example, or perhaps a better solution?

Seems to me like whenever anyone asks about authentication with SL and WCF, the standard solution is RIA services and ASP.Net Forms Auth built into the web site, I'm hoping for a slightly better answer :-)

Andrew