.net4 + ASP.net + MVC4 + WebAPI + ??? = AWESOME



  • Ok, I'm setting up a little something-something, using MVC4 and WebAPI to do it in .net 4, and I got everything I need but one bit:

    Auth!

    What I'm looking for is something like ... not OAuth, but something where a client can authenticate with my web service and then send a token that grants him permission to get at the data. If possible I'd like to use an auth method that doesn't require storing session state on the web servers (so I can scale by just adding more servers without worrying about cross-server chatter.) And of course I need something secure and auditable.

    Any recommendations?



  • Have you looked at WIF?  It's a bit of a complex beast but it's pretty good once you get your head around it.

    This will help. 

    http://msdn.microsoft.com/en-us/library/ff423674.aspx

    Ignore the crap about sharepoint but the guts of it are what you're after (I think). I actually found the first edition more helpful because it was proportionally less specific and more about the general principals.

    The authentication is provided by a signed token issued by your (or someone elses) STS.  No session state is required for that bit and in fact the framework takes care of mostly everything, checking the token is legit etc.  Of course after that it's up to you to remain stateless but there's nothing from the authentication that leaks through into your domain problem.



  • Thanks for the pointer, I'll check it out on monday.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.