Is WIF a good option for securing WCF 4.0 Restful service with iPhone

Asked 13/12, 2010 at 1:16 Answered 1/4, 2012 at 18:10

iphone wcf restful-authentication wif sts-securitytokenservice

I have a project which needs to expose WCF restful service to iphone/ipad Client. The WCF worked, now i need to secure it with username and password.

For some reason i am a little reluctant to go with CustomBasicAuth

Oauth is also not ideal in WCF world for now, you have to create wrapper to do work around it. please DO correct me if i am wrong.

Now, I am looking at the Windows Identification Foundation. To be honest, that looks like a smart way but lacking of documentation.

there are 2 things have to put into consideration:

implementation have to be iPhone friendly.(not just used in .net world)
implementation need to be easily deployed to cloud (azure)

I would like to know which option will you choose, and what is the reason of choosing it. any links or reference will be greatly appreciated.

Gerdes answered 13/12, 2010 at 1:16 Comment(0)

You might want to try this basic authentication implementation for WCF REST, http://weblogs.asp.net/cibrax/archive/2009/03/20/custom-basic-authentication-for-restful-services.aspx

Based on your requirements, basic authentication should be enough for what you need. WIF will only add some noise in the mix.

Thanks Pablo.

Hyperon answered 15/2, 2011 at 16:13 Comment(1)

Nice blog post, btw. But... AFAIK, webHttpBinding, which is required for WCF REST, does not support HTTPS hosts. And Basic authentication requires HTTPS in order to be secure. How to get around that? – Deadbeat 13/5, 2011 at 17:50

Windows Indentity Foundation - WIF, uses SAML 2.0 claims.

So it is a good fit both for cross platform and the cloud.

Here is a link to WIF documentation: http://msdn.microsoft.com/en-us/security/aa570351

Note that WIF is also used for Windows Azure Access Control Services.

Adenoid answered 22/11, 2011 at 19:36 Comment(1)

wit doesn't work with saml2 out of the box, it has extension from this May which fix this problem but it is buggy. Have you met any field examples or use cases for using wit features on iPhone ? – Velutinous 22/11, 2011 at 21:33

I'm using WIF in a custom STS in Azure for one of our sites. I think my only concern would be whether the agent, in this case iPhone/iPad, can handle the size of the cookies that WIF generates, as they can be quite large. We've been inundated with exceptions related to the claim not working in certain browsers due to cookie size limits. Of course, I don't know if these limits exist for the platforms you're using.

Diffusivity answered 28/11, 2011 at 17:34 Comment(0)

Check this nice code project article ,

http://www.codeproject.com/Articles/149738/Basic-Authentication-on-a-WCF-REST-Service

I am investigating this issue as well , so I am not sure this is the full approach but still worth reading.

I would add the following architectual concern to your question :

What if you want to support both active (WCF) and passive (web browser authentication) in the same system ? I am still not sure about that.

Rebarbative answered 1/4, 2012 at 18:10 Comment(0)

Recommended topics

Hot tags