I have a registration service (.NET, preferably REST based) that is shared between three applications. Two .NET applications and one Java. They both will register users through this registration service. The registration API lives on it’s own server.
My question is what is the best/correct way to authenticate the registration request going to the registration service if a user isn’t logged in?
Does a secret key need to be involved?
Should a username/password be shared between all applications using the registration service?
Should I block IP’s that don’t come from the three application services?
If the service is hosted in IIS 7+ it is rather trivial to add IP restriction support without the need to change any code. You can use ‘Address and Domain Restrictions’ module to restrict inbound connections to the service at the site or virtual directory level.
http://technet.microsoft.com/en-us/library/cc731598(WS.10).aspx
Otherwise if you want to go beyond plain IP restrictions, you will most likely need to change code and leverage some sort of authentication store to accomplish this. I think that it is difficult to assess what is best/correct given the limited information provided. For example, if the service in question is a WCF service, you may be able to leverage Windows and/or NTLM authentication with no code changes if the callers are .NET clients by merely editing the WCF server and client binding configurations.
The correct approach would take into consideration the exposure risk of leaving the registration service unprotected and couple it with the effort involved in securing it. There is no one size fits all approach to this kind of question.