WCF Authorization service. Any existing pattern? Suggestions?

Question

in our application we have a lot of different profiles. Each profile enables the user to access to specific functions of the service or to perform particular actions for a specific number of times.

We are thinking about creating a WCF Authorization Service to centralize the logic of everything and so "slave" applications will just reflect what this "referee" application tells them to do.

Do you think this is a good idea? Is a pattern you already used? Is there anything on the net that can be studied?

Thanks for your opinion.

Marco

Answer 1

You might want to take a look at claims based authentication through Windows Identity Foundation (WIF). In this model your "slave" services become what's known as a relying party (RP) which each trust the issuer (STS) of an authentication token. This token contains claims that can be customised to each RP. It's built on open standards and will likely prove far more secure and future proof that rolling your own.

All of this will be surfaced in your services through the relatively easy WIF API that extends IPrincipal and IIdentity. Perhaps a little more work up front now but certainly providing a better solution long term?

More info here

Edit: Your services will trust the STS. Therefore when the user walks up to your service with a set of claims issued by the STS you take these as valid. Your services don't need to contain any logic for looking up roles as it's all contained in the claim which has been defined by the STS. All you do as a service developer is decide what the user can or cannot do based on those claims. The following developer whitepaper may help (PDF).