I am creating a website that will contain both ASP.NET pages and the Flash applet. I want to encapsulate my business logic in a WCF service, which will be displayed through two endpoints: one accessible via the Internet via HTTP (S) for use by the Flash client and one available in the data center for use by application servers, If this does not seem like a good one approach, stop me here; otherwise I will move on ...
The question is how to authenticate requests from the Flash client. Since I do not want to store the user password in the browser cookie, I do not want to send a password with each request, and I do not want to use HTTPS after the initial login, I plan to use a token based on authentication. I also do not want the user to have to enter the Flash client after he has already logged into the site itself, so I plan to use Javascript to transfer the token to the Flash client when it starts.
I know that WCF supports the use of the built-in security environment. NET Framework (System.Security) to provide access control, and I would like to take advantage of this.
Thus, the question arises: How to transfer the token to the WCF service when it is called by Flash, and how do I process the token on the server?
- WCF has an “issued token” authentication mode, but it seems to be intended for use in a full-fledged federation scenario with Secure Token Service and SAML tokens - a little more complicated than what I really want. Can I use this mode with my "simple random string" tokens? If so, how? Keep in mind that this should be compatible with Flash.
- I could pass the token in the header (either the SOAP header or the HTTP header). In this case, once I have determined which user is making the request, how can I tell the structure so that System.Security checks work?
- Is there any other approach I should consider? Everything that allows me to avoid sending passwords in each request allows me to use System.Security, and working with Flash is an opportunity.