Menu
I'm securing my Windows 8 to Windows Azure hosted WCF service connection using SSL. I'm interested in verifying that the user is using my Windows 8 app and not just some 'hacker' using Fiddler.
I obviously can't store a username and password inside the c# code and in this situation I'd really like to avoid asking the user for a username and password every time they use the application (or ever for that matter).
I've had a look into Azure ACS but it looks like it's for single sign in only and the user will have to enter the username and password every time.
Is there anyway to:
Thanks!
818
About your requirement "I'm interested in verifying that the user is using my Windows 8 app and not just some 'hacker' using Fiddler.", I am not sure how deep you would try securing your application as if others want to try consuming your application differently, the will find their way and if you think using ACS or LiveSDK add any security, I don't think so.
ACS or LiveSDK services are ways to authenticate a specific user and then allowing them to use your application. Once the authentication token is given to your application about a specific user and you do not have a way to save and again verify that info, there is no difference between having ACS/LiveSDK based authentication in your application or not having it. These oAuth based services are just a way to authenticate the user, still you would need to write extra layer of the code to provide user specific service.
It does not matter if you use ACS/oAuth/or your own membership service, user will have to enter username and password to get authenticated time to time. Based on login time and type, you can keep the user active for x amount of time as live session however the session will expire and user will have to enter the username and password. Storing username and password locally to avoid entering credential again is not a good application design.
Now about your first question you should be using LiveSDK (not Azure ACS) to authenticate Live (Hotmail, Live, Skydrive and Outlook domain) users because in Windows 8, most of the services are using these ID so using one of these will help your application to be part of same eco-system. You can use this latest doc to use Live SDK in your application. If you will use Live SDK in your Windows 8 application and the user using the same live ID for their other application on Windows 8 and login before your application, your application will already have a live session to use it depend on Live ID and application settings.
About your second question "Encrypt and store the user's login details to prevent the user having to enter login details every time?" I am not sure why do you need it. First of all no oAuth service will give you user login credentials besides user name only which you can save to verify the user if he visits again and that u can use to be sure that it is a proper user. You must need to store this info to cloud and then once authenticated, do whatever you want.
84
Take a look at this credential store sample for Windows 8 modern-style applications - http://code.msdn.microsoft.com/windowsapps/PasswordVault-f01be74a. It's not Azure ACS - but it should hopefully help you solve you issue. PasswordVault is a new API(Windows.Security.Credentials.PasswordVault) building on the identify features we saw introduced in .NET 3. It allows you to securely store remote application credentials in the OS, in a protected store, and dynamically access them within your application. The user remains in complete control of the store and can remove the data by using the control panel if they so wish. Currently this is the way most modern application are persisting data such as OAuth tokens for remote service calls such as Twitter.
This will only work for third party identities. If you want to use the Microsoft Account instead, follow the guidance above and take a look at the LiveSDK.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
