IIS hosted Basic Auth for external users

Topics: Web Api
Dec 12, 2011 at 3:39 PM

No specific questions here, just general comments. I have been looking at WebAPI and I want to give the team some feedback

I recently got stuck on how to authenticate users without domain accounts (e.g. customers) for my IIS hosted WCF services. To support the widest range of devices I figured I should use basic authentication fronting a membership provider. Unfortunately when you specify transport security with basic authentication on a WCF service IIS gets in on the act. The native IIS httpbasicauthentication module insists that all users have windows accounts.

The old REST starter kit provided Request Interceptors which were very useful for my purpose. The kit stopped at .net 3.5 so I found I could actually implement basic auth with a custom ServiceAuthorizationManager. (Another approach is to create a custom httpmodule).   The RequestInterceptor / ServiceAuthorizationManager approach works on the WCF request messsage and results in state being propagated to weboperationcontext (operationcontext) and servicesecuritycontext.  Exactly what I want for resusablity of types shared with my SOAP services. 

I checked out what WebApi could offer and gave up. I created message handlers to implement the basic auth protocol on the client interface, but I fell short of integrating with the WCF context and security classes. I saw various samples that confine interest to the HttpRequestMessage, the Asp.net Authorize attribute and injecting IPrincipal objects into operation params, but I don't think that is a good approach.

There is lots to love about WebApi but coming at things from the WCF side I am a bit concerned that it might be getting a bit far removed from WCF.  It also seems to me that security generally is not given enough priority. The focus here is on building web apps not web sites and web apps require security for non-domain users.