I am in the process of creating a WCF RESTful service that will be secured by passing externally obtained authentication tokens in the HTTP headers. In summary the sequence is much like this:
- Client : Get authentication token from identity server
- Client : Construct REST call placing authentication token in a custom HTTP header
- Client : Perform get
- Rest Server : Verify auth token is present
- Rest Server : Query identity server to verify token and obtain user context
- Rest Server : Authorise user Rest Server : Perform service action
So, my question is what is the best way of going about doing this in WCF/.NET? I could of course hand craft the authentication/authorisation check in my REST method, i.e.
public void DoSomething(string input)
{
if (Authed())
{
...Do DoSomething...
}
else
{
throw new FaultException<MyFault>(new MyFault("Not today, thanks"));
}
}
public bool Authed()
{
string rawUserAuthToken = WebOperationContext.Current.IncomingRequest.Headers["MyCustomHttpHeader"];
...Do the magic needed to verify and Authorise the incoming token...
return result;
}
However, I am sure there are far more elegant ways of achieving this in WCF. Having done a little Googling I have come across SecurityTokenAuthenticator but it doesn't seem to fit what I need.
So, any suggestions?
EDIT: A key factor here is that the solution has to be cross system/language neutral, clients will be based on just about every technical stack imaginable so they can't "just add a service reference"
Thanks
