User/Pass Authentication using RESTful WCF & Windows Forms

Question

What is the best approach to implementing authorisation/authentication for a Windows Forms app talking to an IIS-hosted RESTful WCF Service?

The reason I ask is I am

Answer 1

Thanks for the answers. Stepping back and looking clearly and unbiased at the problem as a whole (in other words ignoring the 4+ hours I invested looking into RESTful services) I am attempting to get the thing working without REST for now and the references I am attempting to follow at the moment are these: -

• http://blogs.msdn.com/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx
• http://www.devatwork.nl/index.php/2007/05/31/wcf-username-authentication/

This seems applicable for what I want.

lextm: I hear you on this, after I wrote the post I scanned closer through the WCF security guide and made notes on all my requirements based on the options given they want you to think about on each tenet.

I have chosen:
- Transfer Security Mode: Transport Security
- Auth. Option: Basic Security
- Binding: wsHttpBinding
- Custom authentication with username validator

In light of the examples provided for each and looking at the use case of windows forms w/ WCF service it seems like the best way to go.

Nicholas: Agreed, designing the services to be stateless is probably a better approach.

So based on the article I will be following when I get time, it utilises the X509 cert. which I am very new to (understand you are using this Nicholas) will this be fine given this client app can be downloaded from the internet and installed on anybody's PC who has an account with my website?

Cheers for all your help, Graham

PS: I think this is the closest use case to my scenario (except I wish to use transport security), should I be considering implementing this as it does not bother with a cert? From the quote I read I might need the cert. as "The X509 certificate encryption is required by WCF because the client credentials (username/password) are passed as clear text in the SOAP message." - however from what I've learnt and what we said, if I am using SSL, this point is probably moot?