WCF Rest JSON Service Authentication with no Certificate - c#

I'm developing WCF Rest JSON service for Android and IOS Mobile apps. I need to provide some security to this..I gone through many Articles but most of them using Certificates.. Could anyone suggest which is the best and built in way to secure the service..

I would recommend the use of OAuth (Since you are on multiple mobile platforms).
It does not use user/password authentication, you instead include OAuth inside the HTTP header.
Here is documentation and sample implementations;
http://blogs.msdn.com/b/odatateam/archive/2011/01/20/oauth-2-0-and-odata-protecting-an-odata-service-using-oauth-2-0.aspx
http://www.codeproject.com/Tips/372422/Secure-WCF-RESTful-service-using-OAUTH
http://www.codeproject.com/Tips/817102/Consuming-OAUTH-Enabled-Restful-WCF-Service-using

Related

Auth service using Web Api, membership provider, and SQL Server 2012

I am looking to write an auth service using Web Api, and SQL Server for authenticating and authorizing users on my .net site, but ios and Android apps as well. I'm speculating that basic authentication over SSL is the easiest way to go, but I'm pretty new to this whole section of .net. I'm having trouble finding some clear tutorials that explain how to write such a service. Can anyone point me to some resources on how to do this? I'd appreciate it.
I think you need to look OAuth implementation in .NET.
Here is a video to give you some background on Web API security.
I also suggest getting a trial subscription to Pluralsight training and check out the courses on Web API security.
You may want to target the latest release of Web API 2.0 from Microsoft, it has the most features you'll need.
I think this might be useful for you:
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

GData Authentication for Server Apps

I have an application running on a server that periodically extracts data from Google Analytics. It doesn't issue many queries so I don't think any limit would be a problem.
I have a prototype running, however I had to provide a login a password for the authentication (in code).
I see that I can generate API keys and other kind of authentication bits and pieces in the Google APIs Console, however I am not sure how to use them and whether they can be used in place of the login/password.
It just doesn't seem right to use a user login/password to authenticate a server application.
Is there another way?
(I am using the C# client library)
You should be using OAuth 2.0. See:
http://code.google.com/p/google-gdata/source/browse/trunk/clients/cs/samples/oauth2_sample/oauth2demo.cs
for a sample OAuth workflow.
The best way to do this is with Google Service Accounts
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
However, I don't know off the top of my head the best library for c#, but there does appear to be support for it in the Google library. http://code.google.com/p/google-api-dotnet-client/wiki/OAuth2#Service_Accounts
Here's a answer specifically about the PHP client.
Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?

Securing REST-based WCF Service

I'm looking for a way to secure my WCF service using http and simple username-password authentication, without using certificates.
The service is consumed by an Android device so I can't use the .NET Proxy generated classes.
I've read about basic HTTP authentication but haven't found an easy way to implement this method.
Have you tried using the MSDN custom Username/Password validator for WCF? It relies on the serviceCredentials configuration and implementing a UsernamePasswordValidator.
I've found ASP.NET Web API, seems like a better solution for REST-based Services than WCF.

Authenticated WCF Service for MonoTouch, Mono for Android and WP7

Iam writing a Phone App where the end user should be able to access their own personal messages and other personal content.
Does anyone have some good ideas of how to create a service like this, should i use Soap or Rest, should i simply send the username/password with every request or ?
What would be the best choice for a service i would like to access from all three platforms and that only returns information specific to the authenticate user.
As a suggested alternative to WCF that's at least worth taking a look at, ServiceStack, an open source REST Web Services Framework, is well suited for use in a mobile app and it supports the Mono platforms. It also has built-in support for user authentication. At the very least, it offers a JSON serializer that performs very well.
There's a Wiki for ServiceStack here.
I don't know what the support is like for MonoTouch / MonoDroid, but WCF supports secure services without adding username/password to every request manually (it actually does, but it includes it in the headers).
See this blog post for a great starting point for using WPF Custom Username/Password Validator: http://blogs.msdn.com/b/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx

How to secure a WCF restful service?

I used to deal with web services and we secured it using the credential header with soap. The calling application would need to pass a username and password in the credential header. We are now looking at using a WCF restful based webservice and want to secure it. Wondering what the best way to secure it is?
I was thinking that I could stuff a username and password in the POST variables (this thats what they are called). But is this the proper way to secure a restful web service?
This link describes how to use WCF with WS-Security.
This link describes what WS-Security is.
This link describes the architecture of the WCF security component.
Not sure if you can combine those with REST but know that HTTP has an authentication mechanisms of it's own (See Basic authentication and Digset authentication and this overview about both).
The RESTful way to do it imo would be using the HTTP authentication.
I think you have some research to be done :)

Categories