How should I handle user identity for a Window Phone / WCF / ASP.NET MVC application?

Asked 28/3, 2011 at 22:9 Answered 2/4, 2011 at 17:29

asp.net-mvc wcf windows-phone-7 identity windows-live-id

I'm working on an application which allows data entry and display from both a Windows Phone application and an MVC 3 web interface. Data access for the phone client is via authenticated WCF services hosted in the MVC 3 application. Users will be tracking information which is unique to them, so the service will only show me data which I have entered.

What is the simplest way to handle identity in this scenario? I'd thought of using Windows Live ID, since the phone application has access to a Windows Live Anonymous ID property. However, from what I can tell there's no way to get allow for a web-based Windows Live sign-in which gives me the same Windows Live Anonymous ID - Windows Live Messenger Connect login gives me a site-specific unique ID, which would be different from the phone client's Anonymous ID.

Alternatively, I could use Facebook authentication on both client and phone with Facebook SDK. My concern there is in securing the service calls. I'm thinking that the first time a device connects with the service with a Facebook ID, the server issues it a key, and both the Facebook ID and the server issued key are required for service access.

Thoughts on the above? Is there a simpler solution that I'm missing?

Dalrymple answered 28/3, 2011 at 22:9 Comment(0)

Dear Jon, I have no experience on WP development but I have made a a little search for WCF Auth. for couple of days recently and found out that the apiKey auth is nearly the best way to me. Rob Jacobs has explained how it works on this article;

http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx

Audraaudras answered 28/3, 2011 at 22:20 Comment(1)

@Jon no problem sir. you always help me out and happy to help on that even if this was not a big thing. – Audraaudras 29/3, 2011 at 11:6

An alternative to an API Key is to use claims based identity and security tokens. You could use the Windows Azure Access Control Service as a trusted issuer of security tokens, with the value add that it comes pre-configured to use LiveID, Facebook, Google, any OpenID and any WS-Federation identity provider. Both the web site and the web service would trust ACS.

ACS will give you SAML tokens for the web site (allowing your users to login to it with LiveID, Google or FB).

ACS can also issue Simple Web Tokens (SWT), which are especially neat for REST services (assuming the phone client uses that).

You can't use the LiveID associated with the phone in your app, but you can still use LiveID (or any other identity provider). This is an example of how to do it. It uses the common approach of embedding a web browser in the phone app and use to for all security token negotiation.

Using ACS gives you a lot of flexibility without all the complextity. Making a web site "claims aware" and trust ACS is very straight forward. More samples here: http://claimsid.codeplex.com

Dialectal answered 2/4, 2011 at 17:29 Comment(0)

If you need to link the Phone to a user on the MVC site you could do what Netflix and Amazon do for Roku and other devices and have some sort of an activation process. To make it easier you could use a QR Code or some other type of barcode generated by the MVC site, have the user take a picture of it, and process the image using the Silverlight ZXing Barcode Scanning Library. Probably a bit convoluted, but it works for all the set top boxes.

Clichy answered 28/3, 2011 at 23:17 Comment(0)

Recommended topics

Hot tags