Authentication, authorization, and identities in WCF REST

Topics: Web Api
Jan 14, 2011 at 8:30 PM

What would be considered the "best practices" method of handling authenticaiton, authorization, and identities with WCF HTTP? Would it be to use WIF? Does WIF play nicely with WCF HTTP?

It would be great to see an end-to-end example.

Jan 29, 2011 at 6:46 PM
Edited Jan 29, 2011 at 7:01 PM
OK. I'm getting somewhere with this. It appears that you can lock down service routes using ASP.NET authorization. Like so:
<location path="ServiceRoute1">
            <allow roles="Admin"/>
            <deny users="*"/>
<location path="ServiceRoute2">
            <allow roles="Sales"/>
            <deny users="*"/>

Now my question is how do we implement authentication and identity? I've been looking into WIF and AppFabric ACS, but I can't seem to figure out how you'd implement a security token service using JavaScript and JQuery. When you're trying to access a web resource through a browser, ASP.NET authorization can automatically redirect you to a login page. When you're calling a web service through JQuery, you can't really do this. Any suggestions?
Jan 29, 2011 at 7:58 PM

Yes, we wil integrate with WIF. We have a new channel stack coming which exposes the new HttpChannel which is included in the Microsoft.Net.Http.dll on the server. It is the ideal place for plugging in security concerns. We are working with the WIF team to provide integration at that layer for OAuth. We are not they yet, but will be in the near future.



Mar 1, 2011 at 8:43 PM


did you manage to authorize wcf http using ASP.NET auth?


Mar 1, 2011 at 11:26 PM

Yes, authorization works fine using ASP.NET authorization. The main complexity is handling authentication and identity. I would like to be able to call my web services using jQuery, but I'm not sure how you'd incorporate claims-based authentication and manage security tokens with jQuery.

Mar 2, 2011 at 5:50 AM

How did you solve ASP.NET auth with WCF HTTP?

I tried to implement a WCF HTTP ServiceRoute that authenticates against ASP.NET Forms Auth and gives the ticket to the client but it does not work actually.

Mar 2, 2011 at 8:17 AM


I use a ServiceAuthorizationManager and there you can access the HttpContext.Current to check the credentials. I've implentent a Http BasicAuth with that ... there is a existening Web App with an Http-Handler for authentication and the Web API Project check in dhe ServiceAuthorizationManager, if there is a  authenticated user. In our Web App the current Userinformation are stored in the Context as "Item" (that is not the best way but our Web App use it).


            var currentHttpContext = HttpContext.Current;
            if (currentHttpContext != null)
                if (!SecureRequestChecker.IsSslSecure(currentHttpContext.Request))
                    throw new RequiresSSLException();

                useraccount = HttpContext.Current.Items["useraccount"] as Useraccount;

You can also check the IIdentity / IPricipal of the Web App (whick would be the better). 
Wenn the User is valid a set the Identity to the current wcf operationcontext
        public static void ReplacePrimaryIdentity(
            this OperationContext context,
            Useraccount useraccount)
            var incomingMessageProperties = context.IncomingMessageProperties;
            if (incomingMessageProperties != null)
                var identity = new APIIdentity(useraccount);
                var principal = new APIPrincipal(identity);

                var security = context.IncomingMessageProperties.Security ??
                        (context.IncomingMessageProperties.Security = new SecurityMessageProperty());

                ReadOnlyCollection<IAuthorizationPolicy> configPolicies = null;
                if (security.ExternalAuthorizationPolicies != null)
                    configPolicies = security.ExternalAuthorizationPolicies; //.ToList();

                var policies = security.ServiceSecurityContext.AuthorizationPolicies.ToList();
                if ((configPolicies != null) && (configPolicies.Count > 0))

                var authorizationPolicy = policies.Find(p => p.Id == IdentityAuthorizationPolicy.IdName) as IdentityAuthorizationPolicy;

                if (authorizationPolicy != null)
                    authorizationPolicy.Identity = identity;
                    authorizationPolicy.Principal = principal;

                    policies.Add(new IdentityAuthorizationPolicy(identity, principal));

                var authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies);

                security.ServiceSecurityContext = new ServiceSecurityContext(
                        new ReadOnlyCollection<IAuthorizationPolicy>(policies));
Hope that helps,
Mar 2, 2011 at 9:03 AM

Just at this moment I got the ASP.NET Forms Auth / Membership/Roles integration running within my WCF HTTP Auth Service.

I'll blog about this later today.

Mar 2, 2011 at 12:15 PM

This doesn't help from a browser/jquery perspective, but this is how we are authenticating against Basic from our web app to back end services.       

            var byteArray = Encoding.ASCII.GetBytes(ConfigurationManager.AppSettings["UserName"] + ":" + ConfigurationManager.AppSettings["Password"]);
            httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(byteArray));

Mar 2, 2011 at 2:15 PM

Here's my blog post:

Mar 2, 2011 at 3:31 PM

Ich kann nicht verstehen Deutsch. ;)

Mar 2, 2011 at 4:19 PM

I’ll write an english blog post this evening.

Mar 2, 2011 at 7:37 PM

Please find the translation here:

Mar 5, 2011 at 7:06 PM

You can also find an implementation I made for using basic authentication and WIF claim based authentication with this WCF web http stack. It is using WCF channels, so there is no dependency with ASP.NET.

As Glenn mentioned, they are providing a new channel stack soon, so I what made should work too in that new stack with a few changes.



Mar 19, 2011 at 6:50 PM

Posted an update to my recent WCF posting showing how to use the new HttpClient using ASP.NET Forms Auth with WCF Web APIs: