Authentication Service using WCF

Question

I have a custom MembershipProvider as shown below. It validate user name and password against Active Directory. I would like to make this as an “authentication service”. This should work even if the client uses forms authentication or windows authentication.

There is a WCF “HR Service” which is providing employee information. The “HR UI” website is using “HR Service” WCF service. Now we need to ensure that any client using the “HR Service” should be authenticated using “authentication service” before accessing the operation of “HR Service”. If the client application is authenticated once, next time onwards it should not be validated again (till the application is closed). When a new instance of the client application is opened it need to be authenticated from beginning.

How do we achive it? Do we have any code samples for the end to end flow demonstration?

Note: I should be able to test it using self hosted services.

Note: The client can be of any platform (e.g. Java).

namespace LijosCustomValidation
{
public sealed class LijoMembershipProvider : MembershipProvider
{

    public override bool ValidateUser(string username, string password)
    {
        bool isValid = true;
 //my logic to validate the user name and password
        return isValid;
    }

   //other implementations of Abstract Methods from MembershipProvider
  }

Answer 1

Your auth service should return a token if the auth is successful. This token in turn should then be presented to the HR service.

You have a couple of options as to what the HR service does at this point. It can either know the secret to validate the token, or it needs to call the auth service to validate the token.

The token should be some value that can be validated if you know the secret, so it could something, say the users id, that is symmetrically encrypted. Ideally it should have a time component in it to prevent replay attacks.

I'd suggest some something like

<hash value>|<token issue time>|<user id>

The hash value should be hash (sha1, md5, etc) of everything after the first pipe. You can then base64 encode the result and pass it around. Validating the token could then check the issue date was within a certain time-frame.

You also have the option of storing the token in the client in a cookie and passing as a cookie to the services, or making it a parameter on your services. There may be other options, depending on your client architecture & how you want to structure your services.