1

I have a custom MembershipProvider as shown below. It validate user name and password against Active Directory. I would like to make this as an “authentication service”. This should work even if the client uses forms authentication or windows authentication.

There is a WCF “HR Service” which is providing employee information. The “HR UI” website is using “HR Service” WCF service. Now we need to ensure that any client using the “HR Service” should be authenticated using “authentication service” before accessing the operation of “HR Service”. If the client application is authenticated once, next time onwards it should not be validated again (till the application is closed). When a new instance of the client application is opened it need to be authenticated from beginning.

How do we achive it? Do we have any code samples for the end to end flow demonstration?

Note: I should be able to test it using self hosted services.

Note: The client can be of any platform (e.g. Java).

namespace LijosCustomValidation { public sealed class LijoMembershipProvider : MembershipProvider { public override bool ValidateUser(string username, string password) { bool isValid = true; //my logic to validate the user name and password return isValid; } //other implementations of Abstract Methods from MembershipProvider }
Improve this question

1 Answer 1

Reset to default
4

Your auth service should return a token if the auth is successful. This token in turn should then be presented to the HR service.

You have a couple of options as to what the HR service does at this point. It can either know the secret to validate the token, or it needs to call the auth service to validate the token.

The token should be some value that can be validated if you know the secret, so it could something, say the users id, that is symmetrically encrypted. Ideally it should have a time component in it to prevent replay attacks.

I'd suggest some something like

<hash value>|<token issue time>|<user id>

The hash value should be hash (sha1, md5, etc) of everything after the first pipe. You can then base64 encode the result and pass it around. Validating the token could then check the issue date was within a certain time-frame.

You also have the option of storing the token in the client in a cookie and passing as a cookie to the services, or making it a parameter on your services. There may be other options, depending on your client architecture & how you want to structure your services.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks Simon. Would it be possible for you to give me a reference of such an implementation - end to end?
I'm afraid I'm not aware of such an implementation. My suggestion was just based on my experience of dealing with such challenges.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.