Click here to Skip to main content
11,928,740 members (57,733 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as


61 bookmarked

Secure WCF RESTful service using OAUTH

, 24 Apr 2012 CPOL
Rate this:
Please Sign up or sign in to vote.
How to build a security layer on top of your WCF RESTful service.


To get started with this article, we will build a WCF RESTful service which is called the service provider and client application (in this case it's a web app) which would use services and is called the consumer. I wanted to build a security layer on top of my WCF RESTful service. So when I Googled I got many links targeting at OAUTH and all the articles and posts talking about using OAUTH with complicated examples. I could not figure out where to start.

After many clicks on Google, I found pieces of code to understand what needed to be done to provide security for my RESTful services. So in this article I will try to keep things as simple as possible and show how to achieve this complicated task.

So what is OAUTH?

OAuth is a standardization and combined wisdom of many well established industry protocols. It is similar to other protocols currently in use (Google AuthSub, AOL OpenAuth, Yahoo! BBAuth, Upcoming API, Flickr API, Amazon Web Services API, etc.).

DotNetOpenAuth is a consumer and service provider implementation for OAuth 1.0 and 1.0a for .NET, written in C#. It has built-in support for HMAC-SHA1, RSA-SHA1, and PLAINTEXT signature methods with extensibility to add others.

Many people have contributed towards OAUTH implementation for Java, .NET, PERL, PHP, etc. DevDefined OAuth has contributed for .NET. Before we start on an example, download the base class from

Now let’s get on to the code part. In this article I will not discuss how to build a RESTful service from scratch.

In my WCF RESTful service I have implemented a Get method (GetSampleMethod_Without_OAuth) without using OAUTH. Below is the simple implementation (hoping it is quite simple Smile | :) )

[OperationContract(Name = "GetSampleMethod_Without_OAuth")]
[WebGet(UriTemplate = "GetSampleMethod_Without_OAuth/inputStr/{name}")]
string GetSampleMethod_Without_OAuth(string name);
public string GetSampleMethod_Without_OAuth(string strUserName)
    StringBuilder strReturnValue = new StringBuilder();
    // return username prefixed as shown below
    strReturnValue.Append(string.Format("You have entered userName as {0}", strUserName));
    return strReturnValue.ToString();

To verify this method, open the browser with the URL: https://localhost/MyService.svc/GetSampleMethod_Without_OAuth/inputStr/suryaprakash.

In this case you would see the output and if you notice, this service is wide open to anyone. To overcome such issues we could go with the below implementation.

Let’s implement another method with OAuth security. This method would return the same output as above but before processing, it would check for CONSUMERSECRET which is supposed to be sent from the client to make use of the services. If the key doesn’t match it would return an unauthorized request message.

This consumer secret can be shared with multiple clients. Apart from the consumer secret there are parameters like oauth_timestamp, oauth_nonce, URL, etc., which are to be sent (more details on

In my case the consumer secret is “suryabhai” which has to be sent along with the service call. The authenticate method would read all input parameters and send it to the OAuthBase class, and finally it would return true or false which will define whether to process the request or deny it.

Let's look at the below code:

[OperationContract(Name = "GetSampleMethod_With_OAuth")]
[WebGet(UriTemplate = "GetSampleMethod_With_OAuth/inputStr/{name}")]
string GetSampleMethod_With_OAuth(string name);
public string GetSampleMethod_With_OAuth(string strUserName)
    if (Authenticate(WebOperationContext.Current.IncomingRequest))
        StringBuilder strReturnValue = new StringBuilder();
        // return username prefixed as shown below
        strReturnValue.Append(string.Format("You have entered userName as {0}", strUserName));
        return strReturnValue.ToString();
        WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.Unauthorized;
        return "Unauthorized Request.";

private static bool Authenticate(IncomingWebRequestContext context)
    bool Authenticated = false;
    string normalizedUrl;
    string normalizedRequestParameters;
    NameValueCollection pa = context.UriTemplateMatch.QueryParameters;
    if (pa != null && pa["oauth_consumer_key"] != null)
        // to get uri without oauth parameters
        string uri = context.UriTemplateMatch.RequestUri.OriginalString.Replace
            (context.UriTemplateMatch.RequestUri.Query, "");
        string consumersecret = "suryabhai";
        OAuthBase oauth = new OAuthBase();
        string hash = oauth.GenerateSignature(
            new Uri(uri),
            null, // totken
            null, //token secret
            out normalizedUrl,
            out normalizedRequestParameters
        Authenticated = pa["oauth_signature"] == hash;
    return Authenticated;

So far so good, the implementation is done, now let's open the browser and call the service: https://localhost/MyService.svc/GetSampleMethod_With_OAuth/inputStr/suryaprakash.

When you make a request to the GetSampleMethod_With_OAuth method as above, the service would return “UNAUTHORIZED REQUEST” as we did not supply the consumer secret and other parameters. To complete this article, let’s go ahead and implement a client which will call the above method by sending all the necessary inputs/parameters.

As part of the client implementation, we would make a call to the service using a WebRequest by providing all the necessary parameters and the client code has to use the same consumer secret shared by the service.

In the default.aspx.cs PageLoad event, add the below code. The client also has to include the OAuthBase class from

string consumerKey = "test";
string consumerSecret = "suryabhai";
var uri = new Uri("http://localhost/MyService.svc/GetSampleMethod_With_OAuth/inputStr/suryaprakash");
string url, param;
var oAuth = new OAuthBase();
var nonce = oAuth.GenerateNonce();
var timeStamp = oAuth.GenerateTimeStamp();
var signature = oAuth.GenerateSignature(uri, consumerKey,
consumerSecret, string.Empty, string.Empty, "GET", timeStamp, nonce,
OAuthBase.SignatureTypes.HMACSHA1, out url, out param);
WebResponse webrespon = (WebResponse)WebRequest.Create(
   string.Format("{0}?{1}&oauth_signature={2}", url, param, signature)).GetResponse();
StreamReader stream =new StreamReader(webrespon.GetResponseStream());
txtResult.Text = stream.ReadToEnd();

Now let’s call the service by opening the default.aspx page in browser. As we are using a valid consumer secret, the output would be as expected. Now let’s modify the consumer secret and open default.aspx. In this case the expected output is “UNAUTIRUZED REQUEST”.

My example talks about only the GET method and sending data in a query string but it can be extended for a POST method as well and we can send data in headers instead of the query string.

Happy coding… Hope this helps!


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

You may also be interested in...

Comments and Discussions

QuestionWCF Security Pin
Member 1194245126-Nov-15 21:33
memberMember 1194245126-Nov-15 21:33 
QuestionSecure WCF RESTful service using OAUTH with token & token secret Pin
silambuselvan4-Nov-15 1:47
membersilambuselvan4-Nov-15 1:47 
GeneralException when run Pin
Member 1194245113-Oct-15 20:47
memberMember 1194245113-Oct-15 20:47 
GeneralRe: Exception when run Pin
Member 1194245113-Oct-15 21:13
memberMember 1194245113-Oct-15 21:13 
QuestionWhat if my consumer is iPhone ? How to configure key / secrete word in iPhone Pin
patel_javal12-Oct-15 3:22
memberpatel_javal12-Oct-15 3:22 
AnswerRe: What if my consumer is iPhone ? How to configure key / secrete word in iPhone Pin
Member 1194245126-Nov-15 21:38
memberMember 1194245126-Nov-15 21:38 
QuestionFails to authenticate when host the service in iis Pin
chanukajr12-Aug-15 22:31
memberchanukajr12-Aug-15 22:31 
QuestionI found The remote server returned an error: (400) Bad Request. Pin
Member 110822247-Apr-15 21:58
memberMember 110822247-Apr-15 21:58 
Question401 allways Pin
Member 849768315-Sep-14 11:49
memberMember 849768315-Sep-14 11:49 
QuestionQuery for Post Request Pin
Susheel Kumar Verma28-Aug-14 4:11
memberSusheel Kumar Verma28-Aug-14 4:11 
QuestionWhere to get CONSUMERSECRET to provide various clients, will be consuming my webservice? Pin
N Chandra (8015059)4-Jun-14 9:23
memberN Chandra (8015059)4-Jun-14 9:23 
QuestionWhere is actual authentication Pin
londondev2120-May-14 4:28
memberlondondev2120-May-14 4:28 
QuestionThe remote server returned an error: (401) Unauthorized Pin
Vjoyism24-Apr-14 22:30
memberVjoyism24-Apr-14 22:30 
SuggestionSolving repeated requests failure Pin
Jung Hyun, Nam2-Mar-14 21:11
professionalJung Hyun, Nam2-Mar-14 21:11 
QuestionIncomingWebRequestContext.UriTemplateMatch Pin
Member 103788486-Nov-13 4:19
memberMember 103788486-Nov-13 4:19 
QuestionSend POST Request Pin
Member 103788484-Nov-13 3:49
memberMember 103788484-Nov-13 3:49 
Questionsecurity of oauth parameters on cosumer side Pin
bhupinder719-Mar-13 8:32
memberbhupinder719-Mar-13 8:32 
QuestionSend POST request Pin
pankaj.thadani24-Feb-13 21:51
memberpankaj.thadani24-Feb-13 21:51 
QuestionUnAuthorized User Pin
zubreha8-Jan-13 9:24
memberzubreha8-Jan-13 9:24 
SuggestionGood overview... Pin
Haukur Kristinsson6-Dec-12 15:07
memberHaukur Kristinsson6-Dec-12 15:07 
QuestionGreat tutorial !!! Pin
Minh Chien Nguyen Jul9-Oct-12 22:56
memberMinh Chien Nguyen Jul9-Oct-12 22:56 
QuestionIs it possible to use HTML instaed of aspx ? Pin
MaheswarSPillai10-Sep-12 20:21
memberMaheswarSPillai10-Sep-12 20:21 
AnswerRe: Is it possible to use HTML instaed of aspx ? Pin
Firnas20-May-13 20:40
memberFirnas20-May-13 20:40 
QuestionRepeated requests are unauthorized Pin
mdgardipee13-Aug-12 4:34
membermdgardipee13-Aug-12 4:34 
AnswerRe: Repeated requests are unauthorized Pin
zubreha8-Jan-13 9:21
memberzubreha8-Jan-13 9:21 
AnswerRe: Repeated requests are unauthorized Pin
nrpl0318-Jan-13 4:52
membernrpl0318-Jan-13 4:52 
Generalnice article for beginner Pin
vyas_pratik204-Jun-12 3:54
membervyas_pratik204-Jun-12 3:54 
GeneralMy vote of 5 Pin
Balakrishnan Dhinakaran21-May-12 20:14
memberBalakrishnan Dhinakaran21-May-12 20:14 
QuestionFantastic! But what about JQuery Clients? Pin
quicoli25-Apr-12 3:50
memberquicoli25-Apr-12 3:50 
Hi friend! Can you give us an example of how consume this using a JQuery Client?

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.151126.1 | Last Updated 24 Apr 2012
Article Copyright 2012 by Bangla Gopal Surya Prakash
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid