Using OpenID with a WebService: Best way to authenticate?

StackOverflow https://stackoverflow.com/questions/1098254

Question

I'm looking for some guidance on the best way to authenticate to my WebService. Right now, I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService.

The MVC website uses OpenID to authenticate users, and during the development phase, we have simply been passing the user's OpenID Claimed Identifier to the WebService to authenticate. Obviously this is not what we will be releasing to the customer when we go live.

So my question is this: What's the best way to authenticate to the WebService?

Some of the API's I've played around with use Authentication Tokens. Another idea we had was to, upon connection to the WebService, pass the client an encryption key which they could use for all transfers.

I'm thinking out loud here, and again, any help is greatly appreciated! Thanks!

...

UPDATE: Right now I have created a custom SoapAuthenticationHeader which has an OpenIdURL property. This is used on all service calls to authenticate the user. The problem is two-fold:

  1. If a hacker know's a user's OpenIdURL, they can easily gain access to the WebService.
  2. The OpenIdURL is currently passed in plain-text.

So I could pass an encryption key to the client upon connection to the WebService, and have the client encrypt the OpenIdURL in the SoapAuthentication header. But I'm not sure about how to best go about that...

Was it helpful?

Solution

You might want to take a look at OAuth:

http://oauth.net/

(Use http://oauth.net/code/ for coding.)

As it is geared specifically for this scenario (Open ID isn't, really).

There is another question on SA which asks about the best way to secure a web service, and Open ID and OAuth are both discussed:

Web Service Authentication using OpenID

OTHER TIPS

ASMX web services (which Microsoft now considers to be "legacy") have no ability to use OpenID for authentication. They can only use what IIS provides to them. You could possibly add a SoapExtension that would do OpenID authentication for them, but I wouldn't spend time there.

I don't know enough about OpenID to be certain, but I suspect it can integrate with WCF through federated security. I'm sure someone else will answer with details on that.

This isn't really an answer, but I can't leave comments...

You say "I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService".

I might be way off base here, but the language implies that these two sit on the same server. If so, why can't you just share the users database and the cookie token?

James

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top