WPF & WCF Security - Username and password = STS
I'm about to start a project with WPF which uses a web service to get info etc.
A username and password is required to authenticate you and get data which belongs to you.
I would like my WPF application to store the username and password. But I don't want to store it. So I was thinking. It would be cool if after I login for the first time it would generate a certificate at the WCF end and give it to the WPF application which can be used for e开发者_运维知识库ach and every call.
Is what I'm thinking possible? Another problem I would like to tackle is how do I avoid someone copying and pasting the certificate?
Update
Based on @zamd suggestion. This is what I would like to solve.
- Webservice uses WCF Web Api
- Site has forms authentication
- Site signs in with Username and Password which is validated by a Token Service
- Webservice can authenticate the users token provided by the Token Service
I found this very useful blog article http://weblogs.asp.net/cibrax/archive/2011/02/04/authenticating-clients-in-the-new-wcf-http-stack.aspx but I would like to use Forms Authentication to get the SAML Token
You should look into Claims-based-security and SAML Token.
At login, you application should go to your service or a 'security service' also known as 'Security Token Service' and get a SAML token in exchange of a userName/Password pair. SAML tokens are usually secured for the receipient and can be safely stored on the client side until they are expired.
Every time you need to call WCF service, you can use this SAML token for rich authentiction and authorization.
Your understanding of Certificate base authentication is incorrect. Certificates are used for establishing SSL connection, are used to encrypt data using asymmetric encryption and authenticate user but to authenticate user against a certificate the certificate should be installed on the user's system and not provided by the WCF service. This requires one to setup a PKI infrastructure. The other options you can look at is to use
- ASP.Net form authentication with running WCF service in ASP.Net compatibility mode. In this case once authenticated only the auth cookie would pass there after.
- Look at this question for some other ways User/Pass Authentication using RESTful WCF & Windows Forms
If you have to use username/password combination then you can get Windows to store it for you under Windows 7, Windows Server 2008 (and perhaps Vista) using the Windows Credential Manager. You need to fall down to p/invoke calls ( http://pinvoke.net/default.aspx/advapi32/CredRead.html and http://pinvoke.net/default.aspx/advapi32/CredWrite.html) for this.
The only issue I had with this is that it didn't work on Windows Server 2003 even though the documentation says that it is a supported OS.
精彩评论