0

I'm trying to find a standard solution in WCF for the following scenario:

I have 2 services. Service1 wants to send a request to service2. I want that service1 will send credentials in order to authenticate before service2 response to his request.

I dont want to use ssl or to copy certificates between all the network services.

This is my solution:

I will create one "security service".

Service1 will authenticate against the security service.

On successful authentication, this security service will provide service1 a custom token, signed by the security service.

Service1 will attach this token to each of it's request.

Service2 will validate this token, and if succeeded, will handle the request.

The answer is if there is a way in C# (WCF) to implement this mechanism.

Thanks

fransua
  • 1
  • 1
  • 1
  • See this question: http://stackoverflow.com/questions/964433/how-to-add-a-custom-header-to-every-wcf-calls – Jaapjan Apr 19 '12 at 08:31

2 Answers2

1

Microsoft offers WIF(Windows Identity Foundation) for this type of claim base authorization. have a look at this article:

http://msdn.microsoft.com/en-us/magazine/ee335707.aspx

Regards.

Shoaib Shaikh
  • 4,565
  • 1
  • 27
  • 35
0

If you are talking about WCF services, look what kinds of security WCF supports. It's None, Transport, Message, TransportWithMessageCredential, TransportCredentialOnly, Both. You said that you are not interested in transport security. So, there still Message security in the list.

WCF supports the following credential types when you are using message level security:

Windows. The client uses a Windows token representing the logged in user’s Windows identity. The service uses the credentials of the process identity or an SSL certificate. You will use this in the sample application that demonstrates the first scenario (internal self-hosted service).
UserName. The client passes a user name and password to the service. Typically, the user will enter the user name and password in a login dialog box. The service can validate the user name and password using a Windows account or the ASP.NET membership provider. You will use this in the sample application that demonstrates the third scenario (public Web-hosted service).
Certificate. The client uses an X.509 certificate and the service uses either that certificate or an SSL certificate.
IssueToken. The client and service use the Secure Token Service, which issues tokens the client and service trust. Windows CardSpace uses the Secure Token Service.
None. The service does not validate the client.

Next what you didn't say, but it's important to determine authentication type, it's how you are going to host your services, especially service 2. Windows authentication is good for internal self hosted services, but I'm not sure that it's your case. So, if your service will be hosted at IIS, Username is suitable for you. And support of digest authentication is what you need. Read Digest Authentication on a WCF REST Service. And if it will be not IIS hosted service or you need alternative solution, it could be Security Token Service using. But the latest better solution is claims based authentication, link you can find in other answers.

paramosh
  • 2,258
  • 1
  • 15
  • 23
  • I want to use my own custom authentication type. The authentication will be done only when service1 requests the token from the authentication service. – fransua Apr 19 '12 at 10:45