Monday, April 25, 2011

Authenticating WCF Endpoint request though multiple "Stores"

Can a single WCF Service endpoint be set up to authenticate against multiple Authentication stores? i.e. if UserName and Password supplied check Custom DB, otherwise try Windows Auth.

Background:

I have WCF Service A which is injected with a client proxy to WCF Service B. Service B could have a dependency on Service C etc.

A User request to Service A comes in and is authenticated using a custom UserNamePasswordValidator, and a ClaimSet is built using a custom implementation of IAuthorizationPolicy.

The authentication succeeds and the service operation on A is invoked. This operation makes a call to Service B via the injected proxy.

The Service B request then goes through the Auth/Authz stack but fails because no credentials have been set. As Service A called Service B I trust it so want the authorization to succeed without having to pass around the User Name and Password of the original caller.

However it is possible that Service B can be called directly by a User with a username and password, so it must support both methods of authentication.

From stackoverflow
  • I'm pretty sure support for multiple credential types on one endpoint does exist. It might have been added with the Geneva framework, so I would look into that. This article mentions having an STS authenticate multiple credential types, so I would assume there is a way to do it with a normal service too without an STS.

    When I needed to have multiple 'keys' to authenticate with, I made a custom ClientCredential class instead.

    Sorry for the short answer, but I need to leave home to get to work... Work is such a hindrance to SO time :)

  • I managed to get this response from a contact at Microsoft:

    You can't have different security mechanisms on a single endpoint, you'd have to expose a separate endpoint for each security protocol you need as each one needs a separate binding configuration since the authentication mechanism is part of the endpoint definition.

    Multiple security modes on a single endpoint is something that's supposed to be coming with .NET 4.0.

0 comments:

Post a Comment