Token Based Auth WCF Web API

Topics: Web Api
Oct 7, 2011 at 2:22 AM


I am trying to implement Token based authentication with WCF Web API. I have spent a lot of time doing research to come with a logical scenario that I think works until someone comes up with a better integration with OAuth2.0. Please let me know if this approach works and if possible, provide suggestions on how I can improve this.

1. I have a Membership Provider based model for User Registration/Login.

2. I allow users to login either via Facebook, Gmail, very similar to ACS2.0.

3. When people successfully login to Facebook, I register them on the Membership provider with their Email and a random password so that they get have an internal UserId. This helps me associate everything they do with our databases to the UserId from the Membership table.

4. Once they are registered, I create an encrypted ticket using FormsAuthentication and then pass it on to my WP7 app which then securely stores this in an Isolated Storage.

5. Now when users make any calls to my WCF Web API Web service, I pass this token as a part of the HTTP Header parameter.

6. On the WCF Service, I have created a TokenHandler that implements DelegatingHandler (very similar to the ApiKeyHandler as shown in various examples). This handler searches for the token, decrypts it, and then obtains the Identity from the ticket.

7. At this point, I know that the request is valid (although I still know, that if someone got a hold of that encrypted string I store on the phone, I'd be in real trouble. Is there a better approach here?)

Finally, the important WCF Web API question:

I am looking for a way to take this parsed UserId value and then pass it as a parameter to the Web Method -OR- create a GenericPrincipal from this and then associate it with the HttpRequest.

Now my Q is, how can i translate this UserId that I decrypted into a UserIdentity or append this to the original call such that it becomes a parameter of the Web Method. I ideally would love it if I could create a Generic principal and then just keep the Web Method parameters independent of this and then use Identity.Name in the method to obtain this information.

Anyone have any ideas on how I could do this? I would highly appreciate any kind of feedback on this. If there are better ways to solve this issue of Authentication I would love to hear about the same as well.

I have tried to look for OAuth2.0 Provider and Consumer tutorials but have found very little that I can actually use and hence I've been forced to utilize this approach.

Thank You