6

I have a project which needs to expose WCF restful service to iphone/ipad Client. The WCF worked, now i need to secure it with username and password.

For some reason i am a little reluctant to go with CustomBasicAuth

Oauth is also not ideal in WCF world for now, you have to create wrapper to do work around it. please DO correct me if i am wrong.

Now, I am looking at the Windows Identification Foundation. To be honest, that looks like a smart way but lacking of documentation.

there are 2 things have to put into consideration:

  1. implementation have to be iPhone friendly.(not just used in .net world)

  2. implementation need to be easily deployed to cloud (azure)

I would like to know which option will you choose, and what is the reason of choosing it. any links or reference will be greatly appreciated.

Brock Adams
  • 90,639
  • 22
  • 233
  • 295
D.J
  • 2,534
  • 4
  • 28
  • 43

4 Answers4

1

You might want to try this basic authentication implementation for WCF REST, http://weblogs.asp.net/cibrax/archive/2009/03/20/custom-basic-authentication-for-restful-services.aspx

Based on your requirements, basic authentication should be enough for what you need. WIF will only add some noise in the mix.

Thanks Pablo.

Pablo Cibraro
  • 3,769
  • 3
  • 25
  • 17
  • Nice blog post, btw. But... AFAIK, `webHttpBinding`, which is required for WCF REST, does not support HTTPS hosts. And Basic authentication requires HTTPS in order to be secure. How to get around that? – isekaijin May 13 '11 at 17:50
0

Windows Indentity Foundation - WIF, uses SAML 2.0 claims.

So it is a good fit both for cross platform and the cloud.

Here is a link to WIF documentation: http://msdn.microsoft.com/en-us/security/aa570351

Note that WIF is also used for Windows Azure Access Control Services.

Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252
  • wit doesn't work with saml2 out of the box, it has extension from this May which fix this problem but it is buggy. Have you met any field examples or use cases for using wit features on iPhone ? – vittore Nov 22 '11 at 21:33
0

I'm using WIF in a custom STS in Azure for one of our sites. I think my only concern would be whether the agent, in this case iPhone/iPad, can handle the size of the cookies that WIF generates, as they can be quite large. We've been inundated with exceptions related to the claim not working in certain browsers due to cookie size limits. Of course, I don't know if these limits exist for the platforms you're using.

Jeff
  • 445
  • 3
  • 12
0

Check this nice code project article ,

http://www.codeproject.com/Articles/149738/Basic-Authentication-on-a-WCF-REST-Service

I am investigating this issue as well , so I am not sure this is the full approach but still worth reading.

I would add the following architectual concern to your question :

What if you want to support both active (WCF) and passive (web browser authentication) in the same system ? I am still not sure about that.

James Roeiter
  • 861
  • 1
  • 9
  • 23