R – Authentication options in a scenario, where a silverlight application is calling a self-hosted wcf service

asp.netauthenticationsilverlightwcf

Our system consists of a self-hosted (non-IIS) WCF service and an Asp.net website which hosts a Silverlight application. The application is supposed to do pretty much everything, the website is just a "shell" in this case.

We have a hard time figuring out how to solve user authentication securely.

To my knowledge, Silverlight can not handle windows authentication, does not have any kind of credentials object. The best we can think of, is to authenticate the user when he requests the page, which hosts the app. Then we can pass the user name to the app in its' init parameters.

That way we have a username which can be sent to the wcf service, and can serve as a base for handling roles. The problem is, anyone can call our service without a silverlight client, and pass in a user name. Also, sending unencrypted sensitive data between the WCF service and the Silverlight app is a bad idea. So, my question is:

How to authenticate the client in this scenario securely?

Best Answer

Has anyone tried this with Silverlight 3? I have a similar situation, and want to implement authentication using message headers (I definately don't want to use ASP.Net cookies) but the solution given here seems to be outdated (doesn't compile correctly with SL3). I'm about to try find and fix the errors, was just hoping someone may either have a fixed example, or perhaps a better solution?

Seems to me like whenever anyone asks about authentication with SL and WCF, the standard solution is RIA services and ASP.Net Forms Auth built into the web site, I'm hoping for a slightly better answer :-)

Related Solutions

.net – WCF, ASP.NET Membership Provider and Authentication Service

I finally found a way to make this work. For authentication I'm using the "WCF Authentication Service". When authenticating the service will try to set an authentication cookie. I need to get this cookie out of the response, and add it to any other request made to other web services on the same machine. The code to do that looks like this:

var authService = new AuthService.AuthenticationServiceClient();
var diveService = new DiveLogService.DiveLogServiceClient();

string cookieHeader = "";
using (OperationContextScope scope = new OperationContextScope(authService.InnerChannel))
{
    HttpRequestMessageProperty requestProperty = new HttpRequestMessageProperty();
    OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] = requestProperty;
    bool isGood = authService.Login("jonas", "jonas", string.Empty, true);
    MessageProperties properties = OperationContext.Current.IncomingMessageProperties;
    HttpResponseMessageProperty responseProperty = (HttpResponseMessageProperty)properties[HttpResponseMessageProperty.Name];
    cookieHeader = responseProperty.Headers[HttpResponseHeader.SetCookie];                
}

using (OperationContextScope scope = new OperationContextScope(diveService.InnerChannel))
{
    HttpRequestMessageProperty httpRequest = new HttpRequestMessageProperty();
    OperationContext.Current.OutgoingMessageProperties.Add(HttpRequestMessageProperty.Name, httpRequest);
    httpRequest.Headers.Add(HttpRequestHeader.Cookie, cookieHeader);
    var res = diveService.GetDives();
}

As you can see I have two service clients, one fo the authentication service, and one for the service I'm actually going to use. The first block will call the Login method, and grab the authentication cookie out of the response. The second block will add the header to the request before calling the "GetDives" service method.

I'm not happy with this code at all, and I think a better alternative might be to use "Web Reference" in stead of "Service Reference" and use the .NET 2.0 stack instead.

R – Authentication between Silverlight and WCF Service WITHOUT ASP.Net Auth

You can use the username/credential over HTTPS from SL3: http://msdn.microsoft.com/en-us/library/dd833059(VS.95).aspx

Best Answer

Related Solutions

.net – WCF, ASP.NET Membership Provider and Authentication Service

R – Authentication between Silverlight and WCF Service WITHOUT ASP.Net Auth

Related Topic