WCF User Authentication & Authorization

Question

I need to find a way to authenticate/authorize users in a WCF-service. I'm using an external authentication service which stores the credentials of the users.

Eg. "Bob uses our loginmethod, we send the credentials to the authentication service, the service lets us know if these credentials are correct." If Bob sends another request, we need to know if Bob is already authenticated.

Now a session is being created on the client, but it needs to move to the server-side. We can not rely on clients for security.

Can this be solved by using security cookies or do any of you have a better suggestion?

EDIT! I can only use the authentication server and do not have access to it

Answer 1

The problem you are describing is a well-known one that had (at least) two standardized solutions.

Federation using WS-Trust

The first option is a SOAP based one that uses active federation based on WS-Trust. In this solution:

• Your client provides credentials to the authentication service
• If the credentials are valid, the authentication service returns a signed (and encrypted) token to the client. It is encrypted so that any information contained in the token remains confidential - even the client cannot read it. It is encrypted with a public key belonging to the your WCF service. It is signed with a private key belonging to the authentication service.
• The client submits the signed/encrypted token to your WCF service. The service can decrypt it because it holds the private key for decryption. It can trust it because it is signed by the authentication service.
• Based on the content of the decrypted token, the service can establish the client identity and make an authorization decision.

In this model, the usual terminology is:

• Your authentication service the Security Token Service
• Your WCF service is the Relying Party
• your client is the Client

This sounds complex, but it is very well supported in .Net and WCF using Windows Identity Foundation. There are many samples available much of it (maybe all) can be done via WCF configuration rather than code.

This is well suited to scenarios where the clients are crypto-capable (like your .Net clients) and where good frameworks exist (like WIF). It is not so good for low spec clients such as browsers and some phones, or where you are not in control of the clients.

It is commonly used in enterprise scenarios, including enterprise-to-enterprise federation. It is used less often in internet scenarios.

the strengths of it are

• It is standardised and therefore generally well supported by frameworks
• It means that your WCF service never has to handle the client credentials (= more secure)
• It makes it pretty easy to switch to different authentication services (because it is standardised). For example, on-premise AD and Windows Azure AD both support this, as do other independent identity services

An overview can be found here:

http://msdn.microsoft.com/en-us/magazine/ee335707.aspx

And Google will show you lots more walkthroughs and examples.

Federation using OAUth 2

In this solution:

• The client displays some UI provided by the authentication service (generally a web page)
• The user enters their credentials in that UI and the authentication service authenticates and eventually returns a token to the client. The nature of the token is not standardised, nor is whether it is encrypted. Generally it will be at least signed.
• The client submits the token with each request to the WCF service
• The WCF service authenticates the token as in the previous solution

In the OAuth terminology:

• Your authentication service is the Authorization Server
• Your WCF service is the Resource Owner
• Your client is the Client

Again, this sounds complex, but it is reasonably well supported in .Net. Probably not as well as the WS-Trust approach though at the moment. It is supported by Windows Azure AD and on the client side, using the Windows Azure Authentication Library. May other services use this approach - e.g. Facebook.

This works well where

• Your client is low spec or not crypto-capable (e.g. a browser or some phones)
• You do not control the client (e.g. a third party application is accessing your service)

It is very commonly used in internet application where you as an owner of the WCF service don't necessarily know the users or the clients. It is a less complete standard in some ways (e.g. it does not define exactly how the authentication happens) and as a result, it is less easy to switch to alternative authorisation servers.

The strengths of it are:

• It is simpler and therefore has wider platform support
• It is growing in popularity and therefore the library support is getting better all the time
• The user never enters their credentials into your UI, only into the auth server, so it is more likely to be trusted (in internet scenarios)
• It has a built in way of controlling the scope of the permissions granted to the client, and revoking those permissions, so again it is more trusted in an internet scenario

The official .Net support for this is in the Windows Azure AD Authentication library

http://msdn.microsoft.com/en-us/library/windowsazure/jj573266.aspx

There are other, open source components too, such as DotNetOpenAuth

http://dotnetopenauth.net/

Which solution would be best for you depends mainly on the nature of your authentication service I would say. And on whether you are in an enterprise or internet scenario. If the auth. service could be easily adapted to be a WS-Trust Secure Token Service (STS), then that would be a good route. If adding some web UI to the auth. service is feasible, the OAuth might be better.

Or, if neither option is feasible, you could just borrow the patterns form one approach and use that without going for the full standard.

Good luck!