Click here to Skip to main content
15,905,229 members
Please Sign up or sign in to vote.
0.00/5 (No votes)

I want to implement token based authentication and authorization for my WCF services(multiple) where username and password will be sent along with custom token generated in encrypt format. Also need to provide authorization on operation contract. i will not be using aspnet management table but simple custom table for users and roles.

Workflow will be somewhat like:

User consumes service(s).
Provides UserName and Password.
A token is created and attached with UserName and Password and sent to DB for authentication.
Responses back and user call the operation contract.
UserName,Pwd and Token is sent for authorization.
Service authorises and method is consumed.

Please provide a workable solution.
P_Dash 24-Jan-13 5:01am    
Well what I got from your question is that you want to provide Service consumption facility to those users who are Registered with you.

So if I'm right then there is no need to send the Token to Database for checking Purpose. Coz database can't check your Dynamically generated token.
So I'd suggest you like you generate the whole Authorization stuff using just Username & Password checking.
And after validating username & password you generate a token using Cookies & send this token to your user.
Otherwise if you want more safety then use Session variable for generating a token.
Pinank_CD 24-Jan-13 5:56am    
Yes. i will validate the username and password in database, but i want to send the credentials in encrypt format and will decrypt on DAL. besides this, what security features can be implemented for authorization on contract levels?
Pinank_CD 24-Jan-13 6:14am    
Exactly this is what i want, can we achieve this?

1. The client calls Login with the username/password
2. Encryption performed it in the client sink
3. Message is sent to the server
4. The server decrypts the message in the server sink
5. Server Login() method validates the username/password from it's user database
6. Server creates a token which can be used to validate the client on future requests
7. The Login() method return with response (i.e. token)
8. Server’s response is encrypted in server sink
9. Message is sent to client
10. Message is received at client, decrypted, client now has token for future requests
P_Dash 24-Jan-13 7:15am    
Improved in Solution.
Check & tell me if U find it useful or not.
Pinank_CD 25-Jan-13 5:24am    

I am not able to find much help. can you please guide me on below task?

1. After authorizing UName and Pwd from DB how can i return token and set in the session variable in clients environment?
2. Role(My Own Table and not aspnet membership) based permission on operation contract

1 solution

You can put all your Service files in a Folder & Arrange Forms Authentication for it.
But it might come with demerits when portable devices are going to consume your Service.

Otherwise you can follow the below links for Service contract level Security & Encryption:

WCF Service Method Level Security using Message Contract[^]

WCF FAQ: Part 3 – 10 security related FAQ[^]

Now what I believe you going to need all this encryption/decryption when you are storing the user Identity in User's Browser. Coz at server level everything is Secure.
So you can follow the below links if you want to implement Encrption:

how to encrypt and decrypt password in[^][^]

So as per your requirement to store the Identity of User in user's Browser by Encrypting it, you could follow the below mentioned link:

HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0[^]

Still if you want to implement a Secure Identity using Server side storing technique, then I'd suggest you to go for Session variable.

I believe this could help you to some extent.
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900