Click here to Skip to main content
11,922,789 members (54,505 online)
Rate this:
Please Sign up or sign in to vote.

I want to implement token based authentication and authorization for my WCF services(multiple) where username and password will be sent along with custom token generated in encrypt format. Also need to provide authorization on operation contract. i will not be using aspnet management table but simple custom table for users and roles.

Workflow will be somewhat like:

User consumes service(s).
Provides UserName and Password.
A token is created and attached with UserName and Password and sent to DB for authentication.
Responses back and user call the operation contract.
UserName,Pwd and Token is sent for authorization.
Service authorises and method is consumed.

Please provide a workable solution.
Posted 23-Jan-13 22:47pm
Gittu Dash 24-Jan-13 5:01am
Well what I got from your question is that you want to provide Service consumption facility to those users who are Registered with you.

So if I'm right then there is no need to send the Token to Database for checking Purpose. Coz database can't check your Dynamically generated token.
So I'd suggest you like you generate the whole Authorization stuff using just Username & Password checking.
And after validating username & password you generate a token using Cookies & send this token to your user.
Otherwise if you want more safety then use Session variable for generating a token.
Pinank_CD 24-Jan-13 5:56am
Yes. i will validate the username and password in database, but i want to send the credentials in encrypt format and will decrypt on DAL. besides this, what security features can be implemented for authorization on contract levels?
Pinank_CD 24-Jan-13 6:14am
Exactly this is what i want, can we achieve this?

1. The client calls Login with the username/password
2. Encryption performed it in the client sink
3. Message is sent to the server
4. The server decrypts the message in the server sink
5. Server Login() method validates the username/password from it's user database
6. Server creates a token which can be used to validate the client on future requests
7. The Login() method return with response (i.e. token)
8. Server’s response is encrypted in server sink
9. Message is sent to client
10. Message is received at client, decrypted, client now has token for future requests
Gittu Dash 24-Jan-13 7:15am
Improved in Solution.
Check & tell me if U find it useful or not.
Pinank_CD 25-Jan-13 5:24am

I am not able to find much help. can you please guide me on below task?

1. After authorizing UName and Pwd from DB how can i return token and set in the session variable in clients environment?
2. Role(My Own Table and not aspnet membership) based permission on operation contract

Gittu Dash 26-Jan-13 3:26am
Okay Tell me 1 thing.
Do you want to store token in Server or in User Browser.
If you are gonna save it in server, then no need of Encrypting it.
But if you want to store it in user Browser, then you need to encrypt it as per your requirement.

So be clear here what exactly do you want.

1 solution

Rate this: bad
Please Sign up or sign in to vote.

Solution 1

You can put all your Service files in a Folder & Arrange Forms Authentication for it.
But it might come with demerits when portable devices are going to consume your Service.

Otherwise you can follow the below links for Service contract level Security & Encryption:

WCF Service Method Level Security using Message Contract[^]

WCF FAQ: Part 3 – 10 security related FAQ[^]

Now what I believe you going to need all this encryption/decryption when you are storing the user Identity in User's Browser. Coz at server level everything is Secure.
So you can follow the below links if you want to implement Encrption:

how to encrypt and decrypt password in[^][^]

So as per your requirement to store the Identity of User in user's Browser by Encrypting it, you could follow the below mentioned link:

HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0[^]

Still if you want to implement a Secure Identity using Server side storing technique, then I'd suggest you to go for Session variable.

I believe this could help you to some extent.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy | Mobile
Web02 | 2.8.151125.1 | Last Updated 24 Jan 2013
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100