Geek Answers Handbook

What is considered “best practice” for user authentication / authorization for WPF and WCF applications?

Let's say I have a .NET rich client (WPF) application that will be deployed in three different scenarios at the same time:

  • Client and server code run in one process
  • client code is launched on the intranet computer and exchanged via WCF to the server where the application / domain / infrastructure code is executed.
  • same as # 2, but the client can work on a machine outside the firewall. A user list of users and roles must be maintained centrally (i.e., credentials are not based on Windows logins).

What is a simple, proven practice for implementing the same user authorization and authentication model for this application? Ie, I want to use the same approach in my presentation level, application level, domain level, etc., No matter how the application is deployed.

Should users / roles be explicitly stored in my SQL database through my existing Entity Framework model? Should Thread.CurrentPrincipal be the approach used by the code that should allow certain application functions, or should any IUserService be injected into the dependency?

This is a low-profile application, so security is not critical - just something basic.

thanks

Edit

After spending hours on WIF / claims-based authentication, I still don't see any instructions on how to create a standalone .NET desktop application using this type of security. All discussions are focused on either ASP.NET or WCF. I need my application to use a standard approach that can be used in both distributed (WCF) and standalone deployment scenarios

+6
source share
2 answers

Take a look at this. I assume you are looking for:

https://gist.github.com/stonetip/8745656

 var tokenHandler = new JwtSecurityTokenHandler(); var convertedSecret = EncodeSigningToken(ConfigurationManager.AppSettings["ClientSecret"]); // Set the expected properties of the JWT token in the TokenValidationParameters var validationParameters = new TokenValidationParameters() { AllowedAudience = ConfigurationManager.AppSettings["AllowedAudience"], ValidIssuer = ConfigurationManager.AppSettings["Issuer"], SigningToken = new BinarySecretSecurityToken(convertedSecret) }; Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters); if (HttpContext.Current != null) { HttpContext.Current.User = Thread.CurrentPrincipal; }
+1
source

Generally speaking, it is better to use token authentication like JWT. The main reason is its flexibility in various types of clients and servers. For example, if in the future you will need to add a mobile application (iOS, Android, any other) to the solution, you can do it without any problems. You can also improve your application with Restful services such as WebApi, etc.

So, my suggestion for you, if you are starting a project, is to switch to token-based authorization.

Take a look at these URLs, you may find them useful:

https://msdn.microsoft.com/en-us/library/ms751506%28v=vs.110%29.aspx

http://www.rhyous.com/2015/02/05/basic-token-service-for-wcf-services-part-1/

+1
source

More articles:


All Articles