Geek Answers Handbook

Using OpenID with WebService: the best way to authenticate?

I am looking for some recommendations on the best authentication method in my WebService. Right now I have a standard WebService on .NET 3.5 and an MVC website that sits on top of this WebService.

The MVC website uses OpenID to authenticate users, and during the development phase, we simply passed the authenticated OpenID user ID to WebService for authentication. Obviously, this is not what we will release to the client when we live.

So my question is: What is the best authentication method in WebService?

Some of the APIs I've played with use authentication tokens. Another idea we had was that when connecting to the WebService, pass the encryption key to the client, which they could use for all transfers.

I listen here, and again, any help is greatly appreciated! Thanks!

...

UPDATE: Right now I have created a custom SoapAuthenticationHeader that has the OpenIdURL property. This is used for all service calls to authenticate the user. The problem is twofold:

  • If the hacker knows the OpenIdURL user, he can easily access the WebService.
  • OpenIdURL is currently being transmitted in text format.

That way, I can pass the encryption key to the client when connecting to WebService and ask the client to encrypt OpenIdURL in the SoapAuthentication header. But I'm not sure how best to do this ...

+6
c # web-services asp.net-mvc oauth openid
source share
3 answers

You might want to take a look at OAuth:

http://oauth.net/

(Use http://oauth.net/code/ for coding.)

Since it is specifically designed for this scenario (Open ID - no, really).

There is another question in SA that asks about the best way to protect a web service, and Open ID and OAuth are discussed:

Web Service Authentication Using OpenID

+3
source share

ASMX Web Services (which Microsoft now considers deprecated) are not able to use OpenID for authentication. They can only use what is provided to them by IIS. You could add SoapExtension, which will do an OpenID check for them, but I would not spend time there.

I don’t know enough about OpenID to be sure, but I suspect that it can integrate with WCF through federated security. I'm sure someone else will respond with details.

0
source share

This is actually not an answer, but I can not leave comments ...

You say: "I have a standard WebService on .NET 3.5 and an MVC website that sits on top of this WebService."

I could be outside the base here, but the language implies that the two are sitting on the same server. If so, why can't you just share the user database and cookie token?

James

0
source share

More articles:


All Articles