Menu
I am looking to expose a service to a selection of clients over the internet. At this stage the api is very small, and I only want known clients to be able to access the service. I don't need to be able to identify the clients now, however I envisage that in future I will need to be able to identify clients, as the api grows.
I'm wondering what the best way to secure the service is in the short term, with a view to the longer term where I may want to be able to authorise client access to specific methods on the service?
I was thinking of using Transport security - i.e. SSL. Should I also look at using Message security with
clientCredentialType="certificate"
in which clase each client will have their own certificate that will authenticate them with the service?
Or should I simply provide each client an API key which will provide a similar level of client differentiation?
Any other suggestions welcome.
Note that this is a service to service interface - i.e. not a client application. The number of users of the service will be limited, and I don't foresee needing to apply security at the data level, moreso at the method access level.
275
The simplest approach for now would be to add SSL to your IIS host and then change the clients to connect on HTTPS, like this...
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
Give them each a key, and they have to submit a SHA signature with their request (an encoded version of some/all of the parameters they're passing in, so you can also do the SHA and check it matches).
184
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
