What is considered "best practice" for user authentication/authorization for WPF and WCF applications?

Asked 8/7, 2015 at 20:48 Answered 10/5, 2016 at 5:40

Solved wcf authentication architecture authorization desktop-application

Say I have a .NET rich client (WPF) application that will be deployed in 3 different scenarios simultaneously:

client & server code runs in a single process
client code runs on an intranet computer and communicates via WCF to a server machine where the app/domain/infrastructure code runs
same as #2 but client can run on a machine outside of the firewall. A custom list of users & roles shall be centrally maintained (i.e., credentials aren't based on windows login)

What is a simple, proven practice for implementing the same user authorization/authentication model for this application? I.e., I want to use the same approach in my presentation layer, application layer, domain layer, etc, regardless of how the application is deployed.

Should users/roles be explicitly maintained in my SQL database via my existing Entity Framework model? Should Thread.CurrentPrincipal be the approach used by code that needs to authorize certain app features, or should some IUserService be dependency-injected?

This is a low-profile application so security is not of critical importance -- just something basic.

Thanks

Edit

After spending hours researching WIF / claims-based authentication, I still don't see any guidance on how to create a stand-alone .NET desktop application that employs this type of security. All discussions are geared to either ASP.NET or WCF. I need my application to use a standard approach that can be used in both distributed (WCF) and stand-alone deployment scenarios

Obeng answered 8/7, 2015 at 20:48 Comment(2)

Look into claims based authentication and claims based authorization. It's part of the. Net framework – Deflexed 10/7, 2015 at 6:17

I havent tried these yet, but searching for "custom authentication wpf" shows social.technet.microsoft.com/wiki/contents/articles/… and pages with same basic content like blog.magnusmontin.net/2013/03/24/custom-authorization-in-wpf – Nesmith 21/1, 2016 at 2:30

Take a look at this.I presume it's what you're looking for:

https://gist.github.com/stonetip/8745656

var tokenHandler = new JwtSecurityTokenHandler();

        var convertedSecret = EncodeSigningToken(ConfigurationManager.AppSettings["ClientSecret"]);

        // Set the expected properties of the JWT token in the TokenValidationParameters
        var validationParameters = new TokenValidationParameters()
        {
            AllowedAudience = ConfigurationManager.AppSettings["AllowedAudience"],
            ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
            SigningToken = new BinarySecretSecurityToken(convertedSecret)
        };

        Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters);

        if (HttpContext.Current != null)
        {
            HttpContext.Current.User = Thread.CurrentPrincipal;
        }

Orangery answered 10/5, 2016 at 5:40 Comment(0)

Generally speaking, it's better to go for token based authentications like JWT. The main reason being its flexibility in various types of clients and servers. For example if in the future you need to add a mobile app (IOS,Android, whatever) to the solution you can do it without any problem.You can also enhance your app with Restful services like WebApi,etc.

So my suggestion for you if you're starting the project is to go for token based auth.

Have look into these urls you may find them useful :

https://msdn.microsoft.com/en-us/library/ms751506%28v=vs.110%29.aspx

http://www.rhyous.com/2015/02/05/basic-token-service-for-wcf-services-part-1/

Orangery answered 6/5, 2016 at 5:23 Comment(4)

Thanks. Since I posted this I've shifted my thinking towards WebAPI, but still know very little about it. Can you provide any links to how token based authentication would work in WebAPI? I need something that will integrate with my existing server code that relies on the Thread.CurrentPrincipal model, using a custom IPrincipal implementation. I'm not clear on how all this communications/token stuff maps over to the thread's IPrincipal for the code to make authorization demands of. – Obeng 6/5, 2016 at 12:25

you're welcome. take a look into this one: codeproject.com/Articles/1005485/… – Orangery 13/5, 2016 at 1:57

Thanks--It looks like there's a wealth of great information there. One thing that's not clear to me: that article discusses "token based authentication", but is it referring JWTs specifically? – Obeng 13/5, 2016 at 12:22

It's a general topic on how to apply token based auth, but it doesn't matter JWT(Java Web Token) is just a token format, you can use the same process to use JWT as well. – Orangery 15/5, 2016 at 23:31

Take a look at this.I presume it's what you're looking for:

https://gist.github.com/stonetip/8745656

var tokenHandler = new JwtSecurityTokenHandler();

        var convertedSecret = EncodeSigningToken(ConfigurationManager.AppSettings["ClientSecret"]);

        // Set the expected properties of the JWT token in the TokenValidationParameters
        var validationParameters = new TokenValidationParameters()
        {
            AllowedAudience = ConfigurationManager.AppSettings["AllowedAudience"],
            ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
            SigningToken = new BinarySecretSecurityToken(convertedSecret)
        };

        Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters);

        if (HttpContext.Current != null)
        {
            HttpContext.Current.User = Thread.CurrentPrincipal;
        }

Orangery answered 10/5, 2016 at 5:40 Comment(0)

Edit

Recommended topics

Hot tags