We are building a web service with WCF on .net 4.0. The service will be used mainly by an ASP.net MVC frontend, but will also be used by a .net Windows App.
The basic username/password auth provided won’t do since we don’t want to save user credentials, so I was thinking about authenticating once and creating a simple token (or should I call it a cookie?) with RNGCryptoServiceProvider.GetBytes() and then using that to authenticate further requests.
I’ve looked into the various common methods to do security with WCF and they mostly seem overly complex, especially when all we want to do is essentially pass a cookie to every method call.
What would be the best strategy to pass this cookie from a WCF client to our WCF services? The preferred method would be as tightly coupled with WCF’s security architecture as possible.
So far I was leaning on either using custom HTTP headers, or custom authorization but I’m not convinced which is the more appropriate method, if any.
Keep in mind that for the ASP website, a new channel would be created for every request, while it would be reused on the Windows app.
IMO there are two ways to do wcf security, Transport or Messsage.
You could implement username type authentication in your application. So the client side would have to fill in a username and password for sending a message.
so the binding on the client side would look like
On the server side you could implement your own password validator, as shown in this example
doing this would authenticate your message on the server, you can implement whatever logic you want for your password validation. using this your message would be encrypted using ssl and authenticated using your own logic implemented on the service side.