I would like to start with the scenario. I have created a WCF service as much as interoperable as I could, meaning I have three endpoints, one using the wsHttpBinding (SOAP) which later will be using Transport security when I setup my certificate, and two webHttpBindings, one formatting JSON and the other XML messages where I would like to add Transport security too there.
Now that these endpoints work with my simple sample method accepting and returning a string I have to figure out the authentication system I need to choose!
The main client application will be an ASP.NET MVC app, here I would be so happy to use the ASP.NET Membership provider to authenticate and authorize inside my client application and use those credentials over the WCF requests. I could do that but now other system vendors take place into the design which could be (for now at least) and Android and an iOS mobile devices. Good thing is we have the REST endpoints to use for whatever data they would like to consume and handle gracefully, what happens with authentication over REST endpoints? I could never use the ASP.NET membership provider out of the box to my WCF and handle the requests automaticaly, can I?
My first question now is, can I combine both somehow? Anyone with best practises, who implemented such a scenario out there? Should I go with a custom authentication system? Should I use the Membership API from within and authenticate every call to the database? There are so many other questions I don't get with REST...the credentials are in every message header request?
Another thing comes in my mind is create two different services (one for the MVC app and two for REST XML,JSON authenticating to the database every request) but this would be maintainable nightmare I guess.
You get the idea, any suggestions and thoughts are welcome!
Thank you.
