I'd like to write a mobile location based application (iPhone, Andorid and BlackBerry) that will get and post data to my web server (hosted on Azure IIS) via WCF restful services.
What is the best way to authenticate my users?
REST authentication can be done custom (like API key auth), or using something like Basic Auth or OAuth. It depends slightly on the interaction you want. You can certainly use ACS to pretty easily secure a REST based service. However, this depends again on what you think you will have in terms of interaction.
As a starting point, I would look here at least (http://acs.codeplex.com/) to see how to use ACS and get started.
I'm doing something similar and I'm using encrypted tokens in my headers.
I'm sure there's a "standard" way of doing that sort of thing, but it was a lot easier just doing it myself.
Basically just using a shared secret to encrypt and a bit of:
WebOperationContext.Current.OutgoingResponse.Headers.Add("sec-token", WebSecurity.CreateToken(blah));
and
string inputToken = WebOperationContext.Current.IncomingRequest.Headers["sec-token"];
Related
I'm new to web services and am creating HTTP services using .NET Web API 2.
The consumers of the services will be other applications, but in the future I foresee web applications (browsers, mobile apps) using them. The services simply serve data to the consumers (no create/update/delete).
All applications, including the API, are located on our enterprise intranet. Nothing outward facing.
I was told to use Integrated Windows Authentication for the services. Can an API key also be used on the same services to authenticate the application that is making the calls?
I'm not even sure doing this makes sense. Can the consuming application (i.e executable run on a server) send account info? My thought is that Windows Authentication isn't necessary and token authentication will suffice. Others have told me to use both. I'm not sure that's possible and haven't found anything showing me it is.
An API key is a parameter passed to the service interface, so it can be passed with any type of auth on the backend.
But usually, and api key is used to determine whether a user is allowed to use a specific API. For example, if only a subset of users that have windows accounts are allowed to use the api, then maybe that might make sense, because, even if they could authenticate with their windows account, they could still be determined to be unauthorized by the fact that they did not pass a valid auth key.
That said, you could also do the same things with some kind of policy, for example, checking if the user has the correct role to call the api method. It makes more sense when you are giving people access to an api through the internet.
I'm struggling with these concepts and having trouble finding good resources on the web.
We are looking for ways to switch out custom implementations tightly integrated into our application for standards based authentication and authorization.
Our scenario is as follows:
A simple web site (may be an app in the nearby future)
A user must log in or otherwise gain access (i.e. there's no "guest" content or other things you can do as a guest)
The site uses its own web services (REST and/or SOAP) on the backend, but it might use 3rd party web services or exposes its own services as 3rd party services for other applications
Authentication may very well be done by an external provider: Users carry a smartcard and we'd like to have one simple identity provider which reads the smartcard information and sends it back to my simple web site (so I know who the user is and what his role is for instance)
Other sites might use other methods of authentication (simple username/password for instance), so we might need a configurable Service Provider??
I'm currently looking at OAuth (2) to implement for authorizing use of our REST Services (is it also useful for SOAP?) to our web site, perhaps with a simple "Client Credentials Grant" type.
But for authentication, I'm still none the wiser. There is OpenID, but is it easy enough to build your own OpenID Identity Provider? There is Shibboleth, but it seems to have a steep learning curve for doing custom stuff. And I've looked at just building something from scratch based on the SAML Authentication Request Protocol with an HTTP Post binding. Are there any other options?
Please keep in mind that we want to be flexible with our authentication. For a certain site, we might want to do the smartcard thing, but for another maybe simple username/password login with LDAP.
If it's helpful still, I personally thought about doing it myself, then discovered a bunch of third parties. I compared (5/18/2015):
Auth0
AuthRocket
UserApp
DailyCred
Conclusion for me was Auth0, because while all the features are very similar, it felt the most legitimate, as in it's not a start-up that might disappear in a few months. Now, the reason that was super important for me was because login is a foundational requirement, so I need to believe as a customer that the Authentication as a Service will be up for as long as I will be.
Here's the full comparison story:
https://medium.com/#bsemaj/authentication-as-a-service-comparison-5-quick-lessons-for-b2b-businesses-e7587275824c
I'm building a web service on Azure. I need to authenticate the users preferably with usernames and passwords in my database, but to be honest, I'll do it with the easiest and simplest way. Azure is pretty easy to use and I'm not sure why I'm struggling to find and documentation on how to secure my web service. Can anyone offer any advice?
In case you want to authenticate users with username and password I'd give MembershipProvider a try.
Using ASP.NET Membership Provider authentincation in a WCF service
Search for wcf security. Azure will just host your service, but the development part is up to you.
Take a look at this msdn links:
http://msdn.microsoft.com/en-us/library/aa354513.aspx
http://msdn.microsoft.com/en-us/library/ff405740.aspx
Can someone guide me on the best practice for this situation;
I have a REST service which developers can access with an API KEY. (I have this working in the WCF WEB API), so this part is done.
I would like developers to be able to validate a USER. i.e. use REST to check the username and password entered by a user.
Each of the end point methods only needs API KEY authentication, rather than basic authentication on the method call (if you see what I mean).
How should I best implement this?
Phil.
To securely send password data to a RESTful service you will need to secure communications across http. There are loads of ways to do this, see this post here:
How to secure RESTful web services?
I have a specific Silverlight application, that is fed with data by a WCF-Service. I want to make sure, that the WCF-Service is only called by that specific Silverlight App. What is the best way to accomplish that and what do I have to do? It doesn't have to be a high security solution.
Thanks in advance,
Frank
Enable basic authentication (username/password) on the service. Create a single user which the Silverlight app will use to authenticate itself with the service.
Easier, but less secure, might be to just use some sort of identifier (only known to the Silverlight client) as a service parameter.
Both options are obviously most secure when implemented with HTTPS. This can be accomplished by using a server certificate.
You CANNOT restrict access to such a service. Your app will need access to whatever key/password you chose. It is trivial to decompile your app and extract the key. SSL/TLS will not help - because the password can be extracted from the compiled code.
This question has been asked quite a few times recently -
Ensure exclusive access to webservice
How to restrict access to my web service?
How can I create and use a web service in public but still restrict its use to only my app?
If your application is running anonymously then it's virtually impossible to be 100% secure.
How ever if your are requiring your users to authenticate then you should be able to make the service relatively secure by requiring their login credentials...
I don't know if it easy with WCF, but I guess you could do something using client certificates. I only used this approach for protecting websites and it was quite easy to do...