I’m planning a set up for a distributed application that spans several machines and will use WCF to send data in between.
Machine A
- Front end website http://www.site.com
- Password protected site using Forms
Authentication
Machine B
- WCF Application Service
- http://service1.site.com/DoSomething.svc
Machine C
- WCF Application Service
- http://service2.site.com/DoSomething.svc
The WCF services on Machine B and Machine C should check that the request from Machine A has been authenticated. How can i check that the request is authenticated across the different machines?
I only care that the request is authenticated and not concerned about securing the message body (because we are not sending any sensitive data across the wire), so SSL is not required.
What authentication methods can i use for the above scenario?
It depends on how complex and secured your solution should be. WCF can also validate user based on membership provider. Such scenario requires that you pass user credentials to each WCF service call and at the end you will authenticate user on each layer again. This will not work because Web application uses credentials only for one request and subsequent requests have authentication token in cookie. But WCF requires authentication of each call. So when using membership provider in WCF you need to store user credentials in session on Machine A. I really don’t like the idea of storing client credentials somewhere in memory for whole session.
I would probably use something like:
Low security scenario:
You mentioned that you are building distributed application so there should propably be some kind of trust among your tiers (Machine A – C). Is anonnymous access allowed on Machine A? If not, can your tier on Machine B trust tier on Machine A that it authenticated users? Same with C and B? In such case you don’t need to deal with authentication on Machine B and C at all and instead use Windows security to allow access only to account running client tier (A is client of B, B is client of C).
High security scenario:
This is usually used when you want to avoid situation when somebody hacks web on Machine A and in such case is authenticated for all actions on Machine B or when you need authorization based on user’s original identity.
You will not perform direct authentication on Machine A. Instead custom membership provider (or direct forms authentication) on Machine A will call authentication service on Machine B. The service will create token for “security session”. Based on implementation this token can be used only for communication between A and B (you have to store it in session) or for whole communication between client, A and B (you will pass it in cookie). Machine C trusts Machine B. This can be futher extended to full federated scenario.
This will not avoid session hijacking (sniffing cookie with token between client and Machine A – to avoid this you need HTTPS between client and A) but without token, hacker can do anything on your Machine B or C.