C# MVC Authentication with the WCF Authentication Service.. a few questions

4
votes

I have a few questions in relation to how to do authentication/authorization with MVC asp.net.

I have a bunch of WCF services that authenticate/authorise the user by passing the username and password on each request ( i validate using a HttpModule, and catching the Authenticating event in WCF). It uses aspnet membership within that HttpModule to validate the user and also sets the Principal so I can have roles on my services (these services are shared to various clients of ours so I need to keep how this works).

Now i want to create a MVC project which will be able to call these services, but I dont want to save the username and password in the session and pass it to each request.

I have a scenario with a few gaps in it if anyone can please help me!

  1. I turn on the AuthenticationService that WCF offers on the WCF service Layer.

  2. In my MVC project, I add forms authentication, and decorate my methods with the authorize attribute, which will redirect me to the log in page if i am not authorized.

  3. In the login page, when a user gives his/her username and pwd, I call the WCF AuthenticationService to login my user. Then I retrieve the Authentication token from this and store it in my session.

  4. The next time i want to call a WCF service on my service layer, I retrieve this token and add it to the header of my request.

  5. On the HttpModule that validates my user on the Service Side, I check if its a valid token OR if its a valid username or password (to facilitate other people calling these web services).

  6. If it is, it accepts the request and returns the correct data..

Does this seem like the correct way to approach this??

Any help is greatly appreciated.. :/ Thanks in advance! Neil

1
c#asp.net-mvcwcfauthenticationasp.net-membership
That is really odd approach. Passing username/password to each single request is troublesome and you loose flexibility. Are there any important requirements you are trying to fulfill with your approach or you just don't know how to do this in some other way?Wiktor Zychla
Some of the services we offer are for SAP based systems which I don't think will be able to handle token based auth. This was the reason I went with this. I didn't think it was that much of a bad idea though? Are all REST based services not stateless?Neil Hosey
Can you offer another solution if this is a bad one? It is quite difficult without much knowledge of WCF..Neil Hosey

1 Answers

0
votes

The proposed solution sounds ok. It was the idea to pass the username/password with every request that sounded bad. The only modification to this would be to not to get the token via the login page but rather from one of unguarded WCF methods.

The client flow would be then:

  1. call the unguarded method, pass username and password as parameters, get the token
  2. call other methods using the token to authenticate

If your clients support http cookies you could even rely solely on forms authentication - append forms cookie to the login request and pass the cookie together with other requests. This way you even don't need an extra module.