I have a site where members login to their account (FormsAuth). I would like to set up a RESTful service that I can access using jQuery. I would like to protect these services using the same FormsAuth.
How would a third-party site be able to access these services? They would need to pass in the Principal/Identity to the service, right?
I've only seen examples of Basic Authentication (which Twitter uses and jQuery supports).
I'm very new to WCT/REST, so not sure how this should be done.
You could make it complicated and use a token. Flickr is an example for such a authorization mechanism.
In theory the token is valid for so and so long, and you pass it along in requests, etc.. It's not very RESTy though (IMHO). But you basically provide one method which returns the token and maybe a date (for the other application to remember) and then the other app uses the token until it expires, which is when it has to request a new one.
The big thing to keep in mind is that Forms authentication works based on cookies. When the client browser sends a request to the server, it sends the cookie with each request. If the server requires a specific cookie (ASP.NET makes this a requirement if you're enforcing authentication on a particular URL) and the cookie isn't there, this is when you get the unauthorized error.
In order to get your jQuery code, the client has to request it from a host page, which could be an ASP.NET page that is protected via Forms Authentication. This is the first step - securing access to the jQuery code itself. The next thing you need to do is secure access to the RESTful endpoint.
If you put the .svc endpoint (assuming you're hosting the RESTful WCF service in IIS) in the same directory as part of your application that is being protected by Forms Authentication via Web.config settings, then ASP.NET will reject requests to the .svc endpoint before WCF is told about the request. In this fashion, you can wrap your WCF service in Forms Authentication without having to do any complicated coding within the service.
Since jQuery, when making HTTP requests of your endpoint, is doing so from within the context of your browser, HTTP requests made from jQuery (so long as the jQuery was loaded from the same root as your forms authenticated site) will contain the authentication cookie.
@ Kevin Hoffman: this was helpful to me. I needed to know whether or not the cookie would be available to the WCF service when passed via a jQuery ajax request. Now I can use SessionMode=SessionMode.Required in my WCF service. I only want authenticated users to have access to the service, so this sounds like it'll work.