Security and authentication design concepts about an interoperable (SOAP, REST) WCF Service

Question

I would like to start with the scenario. I have created a WCF service as much as interoperable as I could, meaning I have three endpoints, one using the wsHttpBinding (SOAP) which later will be using Transport security when I setup my certificate, and two webHttpBindings, one formatting JSON and the other XML messages where I would like to add Transport security too there.

Now that these endpoints work with my simple sample method accepting and returning a string I have to figure out the authentication system I need to choose!

The main client application will be an ASP.NET MVC app, here I would be so happy to use the ASP.NET Membership provider to authenticate and authorize inside my client application and use those credentials over the WCF requests. I could do that but now other system vendors take place into the design which could be (for now at least) and Android and an iOS mobile devices. Good thing is we have the REST endpoints to use for whatever data they would like to consume and handle gracefully, what happens with authentication over REST endpoints? I could never use the ASP.NET membership provider out of the box to my WCF and handle the requests automaticaly, can I?

My first question now is, can I combine both somehow? Anyone with best practises, who implemented such a scenario out there? Should I go with a custom authentication system? Should I use the Membership API from within and authenticate every call to the database? There are so many other questions I don't get with REST...the credentials are in every message header request?

Another thing comes in my mind is create two different services (one for the MVC app and two for REST XML,JSON authenticating to the database every request) but this would be maintainable nightmare I guess.

You get the idea, any suggestions and thoughts are welcome!

Thank you.

Answer 1

Why can't you give a try to ServiceStack. Push your all logic to service and client will be single page application using your favorite js library like angularjs. Complete example you can find over here http://razor.servicestack.net/ .

It also supports authentication out of box for OAuth and form based authentication. There are few more available though.

Why not WCF? There are more than one reason. WCF is good and doing lots of stuff that is not needed for most of the use cases. And Servicestack is easy to use for this type of scenarios where logic is on server. It by default support REST, SOAP 1, SOAP 2, JSON, JSV, XML etc. It will provide you a jump start. And also there is an example of Servicestack with Monotouch, so application running on iOS. And also servicestack also provide many other things out of box. Do visit site and let me know if any further details are needed.