Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Azure

Authentication and Authorization with WCF (part 1) - Direct and Brokered Authentication

3/20/2011 3:50:36 PM
- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
Direct and Brokered Authentication

When aggregating services into compositions, new requirements emerge for authentication. In the past, monolithic systems were able to take into account certain assumptions about the security context from which an application was accessed. Most times, the application owned the user credentials and could simply validate a client’s claim by checking the supplied credentials against a database or LDAP store.

Service-oriented solutions can no longer rely on such assumptions. Accessing one service may result in the invocation of multiple services, plus it can be common for a service consumer to require access to multiple different services in order to complete a single task. These new dynamics have introduced new security models for authentication.

Direct Authentication

Direct Authentication  is a pattern based upon a trust relationship that exists between the service and service consumer. This trust relationship allows the service to accept a claim of identity directly from the service consumer and validate this claim based on information already owned by the service.

The most common example of first party authentication is the exchange credentials in the form of a user ID and password. The credentials are validated against a security store either owned by or directly accessible within the service implementation (Figure 1).

Figure 1. The human end-user, in this case, supplies the credentials to the desktop application acting as the service consumer. These credentials are validated against a data store under the control of the service.

This approach is reminiscent of traditional authentication mechanisms used in point-to-point data exchange, and is therefore common with single service-consumer message exchanges.

Brokered Authentication

Brokered Authentication  is typically used in situations where a trust relationship does not exist between a service and a potential service consumer. Instead, separate trust relationships are established between the service and an authentication broker, and between the service consumer and the authentication broker. In other words, the service consumer is responsible for establishing an identity with the authentication broker and this same authentication broker forms a trust relationship with the service (Figure 2).

Figure 2. When the service consumer is ready to access the service, it presents its credentials to the authentication broker. The authentication broker returns to the consumer a security token that represents a claim of identity. This security token most likely contains some proof of a relationship between the broker and the consumer that the service uses to validate the trust relationship (between the broker and consumer).


Authentication Patterns in WCF

When determining how to establish an authentication mechanism within WCF, decision factors are largely dependent upon the use cases for a given service. Considerations that can affect this decision include:

  • the type and location of the existing credential store used within the service inventory

  • the trust boundaries associated with the service

  • the constraints applied to authorization (explained in the next section)

These decisions should be driven more by business needs rather than technical merits.

The patterns described so far are explained with scenarios that are primarily concerned with uniquely identifying service consumers to the service. However, with service-oriented solutions, authentication often refers to the mutual authentication of the consumer and service when taken in the context of the WCF. Mutual authentication allows the service to positively identify the consumer trying to access it and it also enables positive identification of the service by the service consumer.

This is specifically relevant to WCF services that are Internet-facing. Without the ability to verify the authenticity of a service, an attacker could spoof the service and hijack messages. Such an attack could potentially expose sensitive data contained in messages intended for the genuine service.

Other -----------------
- Connecting in the cloud with AppFabric : Listening for messages on the bus
- Connecting in the cloud with AppFabric : Connecting with the Service Bus
- Example: A return to our string-reversing service (part 4) - Configuring the ACS namespace
- Example: A return to our string-reversing service (part 3) - Sending a token as a client & Attaching the token
- Example: A return to our string-reversing service (part 2) - Accepting tokens from ACS & Checking the token
- Example: A return to our string-reversing service (part 1) - Putting ACS in place & Reviewing the string-reversal service
- Connecting in the cloud with AppFabric : Controlling access with ACS
- Joining dynamic and infrequently changing data together
- Enterprise Service Bus with BizTalk Server and Windows Azure : Mapping the Microsoft Platform to the Enterprise Service Bus Pattern
- Enterprise Service Bus with BizTalk Server and Windows Azure : Governance Considerations
 
 
25 Inspiring Game of Thrones Quotes
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
programming4us
Natural Miscarriage
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer