I'm working on an application which allows data entry and display from both a Windows Phone application and an MVC 3 web interface. Data access for the phone client is via authenticated WCF services hosted in the MVC 3 application. Users will be tracking information which is unique to them, so the service will only show me data which I have entered.
What is the simplest way to handle identity in this scenario? I'd thought of using Windows Live ID, since the phone application has access to a Windows Live Anonymous ID property. However, from what I can tell there's no way to get allow for a web-based Windows Live sign-in which gives me the same Windows Live Anonymous ID - Windows Live Messenger Connect login gives me a site-specific unique ID, which would be different from the phone client's Anonymous ID.
Alternatively, I could use Facebook authentication on both client and phone with Facebook SDK. My concern there is in securing the service calls. I'm thinking that the first time a device connects with the service with a Facebook ID, the server issues it a key, and both the Facebook ID and the server issued key are required for service access.
Thoughts on the above? Is there a simpler solution that I'm missing?
After you enable Windows authentication, you can use the [Authorize] attribute to control access to controllers or controller actions. This attribute can be applied to an entire MVC controller or a particular controller action.
By default MVC apps use Form Authentication and Simple Membership, so you need to make it "false" to run Windows Authentication. Select the project name in Solution Explorer and then in the Property Explorer, click to enable Windows Authentication.
Create a new ASP.NET web application. A window asking what kind of web application you want to create will be displayed. Select MVC in the above window. Select the type of authentication you want for your web site by clicking on the Change Authentication button.
There are three types of authentication available in ASP.NET MVC. For form authentication the user needs to provide his credentials through a form. Windows Authentication is used in conjunction with IIS authentication.
Dear Jon, I have no experience on WP development but I have made a a little search for WCF Auth. for couple of days recently and found out that the apiKey auth is nearly the best way to me. Rob Jacobs has explained how it works on this article;
http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx
An alternative to an API Key is to use claims based identity and security tokens. You could use the Windows Azure Access Control Service as a trusted issuer of security tokens, with the value add that it comes pre-configured to use LiveID, Facebook, Google, any OpenID and any WS-Federation identity provider. Both the web site and the web service would trust ACS.
ACS will give you SAML tokens for the web site (allowing your users to login to it with LiveID, Google or FB).
ACS can also issue Simple Web Tokens (SWT), which are especially neat for REST services (assuming the phone client uses that).
You can't use the LiveID associated with the phone in your app, but you can still use LiveID (or any other identity provider). This is an example of how to do it. It uses the common approach of embedding a web browser in the phone app and use to for all security token negotiation.
Using ACS gives you a lot of flexibility without all the complextity. Making a web site "claims aware" and trust ACS is very straight forward. More samples here: http://claimsid.codeplex.com
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With