Reputation: 8516
What is considered "best practice" for user authentication/authorization for WPF and WCF applications?
Say I have a .NET rich client (WPF) application that will be deployed in 3 different scenarios simultaneously:
- client & server code runs in a single process
- client code runs on an intranet computer and communicates via WCF to a server machine where the app/domain/infrastructure code runs
- same as #2 but client can run on a machine outside of the firewall. A custom list of users & roles shall be centrally maintained (i.e., credentials aren't based on windows login)
What is a simple, proven practice for implementing the same user authorization/authentication model for this application? I.e., I want to use the same approach in my presentation layer, application layer, domain layer, etc, regardless of how the application is deployed.
Should users/roles be explicitly maintained in my SQL database via my existing Entity Framework model? Should Thread.CurrentPrincipal be the approach used by code that needs to authorize certain app features, or should some IUserService be dependency-injected?
This is a low-profile application so security is not of critical importance -- just something basic.
Thanks
Edit
After spending hours researching WIF / claims-based authentication, I still don't see any guidance on how to create a stand-alone .NET desktop application that employs this type of security. All discussions are geared to either ASP.NET or WCF. I need my application to use a standard approach that can be used in both distributed (WCF) and stand-alone deployment scenarios
Upvotes: 7
Views: 5931
Answers (2)
Reputation: 45996
Take a look at this.I presume it's what you're looking for:
https://gist.github.com/stonetip/8745656
var tokenHandler = new JwtSecurityTokenHandler();
var convertedSecret = EncodeSigningToken(ConfigurationManager.AppSettings["ClientSecret"]);
// Set the expected properties of the JWT token in the TokenValidationParameters
var validationParameters = new TokenValidationParameters()
{
AllowedAudience = ConfigurationManager.AppSettings["AllowedAudience"],
ValidIssuer = ConfigurationManager.AppSettings["Issuer"],
SigningToken = new BinarySecretSecurityToken(convertedSecret)
};
Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters);
if (HttpContext.Current != null)
{
HttpContext.Current.User = Thread.CurrentPrincipal;
}
Upvotes: 1
Reputation: 45996
Generally speaking, it's better to go for token based authentications like JWT. The main reason being its flexibility in various types of clients and servers. For example if in the future you need to add a mobile app (IOS,Android, whatever) to the solution you can do it without any problem.You can also enhance your app with Restful services like WebApi,etc.
So my suggestion for you if you're starting the project is to go for token based auth.
Have look into these urls you may find them useful :
https://msdn.microsoft.com/en-us/library/ms751506%28v=vs.110%29.aspx
http://www.rhyous.com/2015/02/05/basic-token-service-for-wcf-services-part-1/
Upvotes: 2
Related Questions
- What's the best way to authenticate over WCF?
- WCF User Authentication & Authorization
- Best authentication/security strategy for WCF service with multiple clients
- WCF Web Service authentication - recommend method?
- WCF User Authentication Best Practices
- What is the best way to implement authentication in a WCF service on an enterprise architecture?
- How-To Deal with WCF Authentication for Both SilverLight 4 and WPF Application
- The best way for authentication Silverlight client with WCF service
- Best practice authentication when working with WCF web services
- What is the best way to authenticate web users from WCF coming from ASP.Net web application?