WCF: Authentication Service or token-based security?
Asked Answered
M

2

7

There's a Dynamic CRM instance on a server ("on-premises"). It will be used by a few sites that run on distant machines (another domain, another Active Directory). The communication between those sites and the CRM instance is done via a CRM proxy, a WCF service that sits near it (near CRM), handles requests, queries CRM etc.

That WCF service is facing the Internet. Although secured communication channels aren't that necessary, authentication is. We cannot let random clients to use the services provided by the CRM proxy.

So, Authentication Service (cookies?) / hand-coded token passing (as a parameter for each service operation) / this solution - on stackoverflow.

Thank you in advance!

PS: hand-coded tokens would be "time-sensitive" and hashed a few times with some secret keys. Man-in-the-middle might not be such a big problem, as a token can be invalidated after a request.

Marta answered 5/7, 2012 at 17:34 Comment(0)
H
11

Hand-coded token passing is not very elegant. It pollutes your method signatures and makes you duplicates checks all over the place.

If you are able to distribute credentials to your service clients, or pass in credentials that they already use for your system, then I suggest using message security with a custom username & password validator.

The steps to implement it are simple enough. You only need to implement a UserNamePasswordValidator:

A short configuration summary from the linked article:

Specify the security mode in your binding:

<security mode="Message">
    <message clientCredentialType="UserName"/>
</security>

In your service behavior add:

<serviceCredentials>
    <userNameAuthentication 
        userNamePasswordValidationMode="Custom" 
        customUserNamePasswordValidatorType="YourFullUserNameValidatorType"/>
</serviceCredentials>

Then clients just need to set their credentials directly on the service proxies. So they're not passed in service operations.

serviceClient.ClientCredentials.UserName.UserName = "username";
serviceClient.ClientCredentials.UserName.Password = "password";

Your UserNamePasswordValidator will get these credential for each service operation call and you will have the chance to validate them against your credentials store.

However, for more security, you could look into certificate authentication. It's more reliable and you are not required to buy a cert from a CA. If you can also setup yourself as a CA on the client computers, then your good to go. It's appropriate especially because you only have a few clients, so they would be easy to manage.

Hermann answered 5/7, 2012 at 18:58 Comment(0)
R
2

For the question above the preivous answer is good enough. However, I want to suggest another approach: Custom Token Authentication.

It is more poweful by giving a possibility to create/support Custom Service Credentials which are created based on the authentification token (UserName).

In my case I have encrypted access token which holds all needed information for the access: user name, user groups (authorization information), validation period, ect.

In your case it can be UserName & Password. The Credential will hold the information about your user and can be used later on in the code.

See the following link for implementing Custom Token Authentication: https://learn.microsoft.com/en-us/dotnet/framework/wcf/samples/token-authenticator

Ratliff answered 15/4, 2019 at 12:3 Comment(1)
Well, my answer was from 2012. I'd say nowadays go with token based auth.Hermann

© 2022 - 2024 — McMap. All rights reserved.