CODEWITHSUNDEEP
wcfapiauthentication
Mike Flynn
Mike Flynn

Reputation: 24325

Stand alone authentication wcf web service

Is there any issue with having a stand alone authentication WCF web service that takes a username and password? Should I use https or some other best practices?

Also if I want to reset the password of a user with a WCF web service, how can I prevent a brute force attack of any sort? or is there a best practice around this approach also? I would just send an email/username to reset the password.

Upvotes: 1

Views: 752

Answers (2)

Mike Goodwin
Mike Goodwin

Reputation: 8880

This is a sensible approach if you want to externalise the authentication of your services, for example to support identity federation with another identity provider such as Active Directory Federation Services or even Facebook or Google using the Windows Azure Access Control Service.

An additional benefit of this is that it would be relatively easy to support alternative authentication schemes in the future, such as X.509 certificates.

It may seem over complicated for your needs but you should definitely consider implementing your authentication service using a standard protocol such as WS-Trust. Your service in this case would be a Security Token Service (STS) to use the jargon. This is fairly well supported using Windows Identity Foundation (WIF) and in fact the WIF tools for visual studio include a sample STS to get you going.

Alternatively, there is an excellent ready made, open source STS created by Dominic Baier, that you can download, customise if necessary (e.g. to use your own username/password store). You can download this here

http://identityserver.codeplex.com/

As I say, this is perhaps more complex than you need, but could be a really good investment in the future.

Upvotes: 1

Shoaib Shaikh
Shoaib Shaikh

Reputation: 4585

Yes you should use https. Because authentication over http is equally prone to attack as an unauthenticated service, anyone can sniff the plain text passing through the wire. There is a good way in WCF you can implement authentication, use UserNamePasswordValidator class.. you can create some text-file on server so have the username-password that can be change by sending an email etc..

public class MyCustomValidator:  System.IdentityModel.Selectors.UserNamePasswordValidator
{
     public override void Validate(string userName, string password)
    {
        if (null == userName || null == password)
        {
            throw new ArgumentNullException();
        }

        else
        {
            bool isValid = UserRepository.ValidateUser(userName,password); //any db based checking

            if(!isValid )
            {
                 throw new SecurityTokenException("Unknown Username or Password");
            }
        }
    }
}

config:

<system.serviceModel>
      <bindings>
        <wsHttpBinding>
          <binding name="CustomAuthentication">
            <security mode="Message">
              <message clientCredentialType="UserName" />
            </security>
          </binding>
        </wsHttpBinding>
      </bindings>

      <behaviors>
        <serviceBehaviors>
          <behavior name="CustomValidator">
            <serviceCredentials>
              <userNameAuthentication  userNamePasswordValidationMode="Custom"
                 customUserNamePasswordValidatorType="MyAssembly.MyCustomValidator, MyAssembly"/>
            </serviceCredentials>
          </behavior>
        </serviceBehaviors>
      </behaviors>      

      <services>
        <service name="MyService" behaviorConfiguration="CustomValidator">
          <endpoint address="" binding="wsHttpBinding" contract="IMyService" bindingConfiguration="CustomAuthentication" />
       </service>
     </services>
</system.serviceModel>

if you wish to use authentication without https you can try this: WCF Authentication using basicHttpBinding and custom UserNamePasswordValidator

Upvotes: 2

Related Questions