none
User name authentication for secure connection to REST service

    Question

  • Hi all,

    I am trying to provide user name/password authentication in order to connect to a REST service hosted in azure optionally implemented on top of WCF.

    Here is the application flow:

    1. User fill the username and password.
    2. A request to the wcf service will be send for authentication. 
    3. The wcf service will check in either an external idenetiy service or to simple sql server/sql azure database to authenticate the user credentials.
    4. The wcf service will return some token (or some key) in order for the user client to securely connect to the REST service (over https/ssl).
    5. The token/key will be cached in the client side for fast connection

    I am aware of using ACS in azure however i will like to avoid that and handle the username store my self in order not to lock my self to specific azure implementation.

    Any comment/links/tutorials will be more than welcomed.

    BTW security in my solution is our top concern so any references on security guidelines/specification will be great.

    Thanks!!!

    Wednesday, August 14, 2013 10:44 AM

Answers

  • HI

    Yes, there is a very very help article for you:

    How to: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS

    You can follow this article crete a securty module for your WCF service.

    And then implement additional function on them.


    Please mark post as answered if it helped!


    Thursday, August 15, 2013 2:18 AM
  • Hi,

    I'd like to point out that ACS supports 2 authentication modes. It can either provides its own authentication (you store username/password or certificate in ACS itself), or it can delegate authentication to a third party STS (such as Facebook or your own STS). Building your own STS is not a simple task, so it is recommended to use an existing product, such as Windows Azure Active Directory or your on-premises Active Directory Federation Service, in case you don't want to store user credential in ACS itself. Please refer to http://msdn.microsoft.com/en-us/library/aad.aspx to get started.
     
    If ACS works with an external STS (such as Facebook), we don't have much control of the communication with the STS directly. We can get the token issued by ACS, the advantage is we can use the same code to deal with a lot of STS. The disadvantage is the token cannot be used to access additional information from STS (such as Facebook friend list). So usually, use ACS for the purpose of authentication and authorization.
     
    ACS supports both OAuth and WS-Fedration. WIF natively supports WS-Federation. So if you're using ASP.NET or WCF SOAP and thus working with WS-Federation, you can regard ACS as an STS. WIF fits into the picture naturally. You can check http://msdn.microsoft.com/en-us/library/windowsazure/gg185912.aspx for a sample.
     
    If you're working with HTML 5 or mobile apps, then you may want to use OAuth. OAuth is much simpler than WS-Federation, so even without WIF, it won't take too much effort to use ACS in your applications. Please refer to http://blogs.msdn.com/b/alikl/archive/2010/11/13/windows-phone-7-and-restful-services-delegated-access-using-azure-appfabric-access-control-service-acs-and-oauth.aspx for a tutorial.

    Best Regards,

    Ming Xu


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    • Marked as answer by DotNetDev111 Monday, August 26, 2013 10:04 AM
    Thursday, August 22, 2013 3:27 PM
    Moderator

All replies

  • HI

    Yes, there is a very very help article for you:

    How to: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS

    You can follow this article crete a securty module for your WCF service.

    And then implement additional function on them.


    Please mark post as answered if it helped!


    Thursday, August 15, 2013 2:18 AM
  • Hi,

      >> i will like to avoid that and handle the username store my self in order not to lock my self to specific azure implementation.

    From my experience, if you want to do it yourself, it seems a lot of work need to be attention. Here we can provide a few high level suggestions.
     
    First, WCF REST natively supports transport security with basic authentication, which leverages IIS if the service is hosted in IIS. However, by default, IIS uses Windows crendential to check basic authentication credentials. So it is needed to implement a custom IIS module to perform your own check. Please refer to http://custombasicauth.codeplex.com/ for a sample. It is also needed to do extensive work regarding encryption, as security is your top concern. If basic authentication does not meet your requirement, you may want to implement certificate based authentication.
     
    Second, now that the first request is authenticated, please find a way to generate a security token. For example, the token must be uniquely signed, so that third parties cannot forge the token. To ensure this, you can use a public/private key encryption solution. In addition, the token has to die after a certain amount of time. If security is important, you may even want to implement a token revocation policy. The following discussions may help:
     
    http://stackoverflow.com/questions/1626575/best-practices-around-generating-oauth-tokens
    http://codereview.stackexchange.com/questions/1159/oauth-provider-token-generation
     

    Best Regards,

    Ming Xu


    Ming Xu
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Thursday, August 15, 2013 2:40 AM
    Moderator
  • Thank you that tutorial is helpful.
    Monday, August 19, 2013 12:17 PM
  • In case I will use Azure ACS instead of implementing my own security token service i am trying to find the logic for sending the security token response to the client from the WCF service and the forward it to the WCF service for validation instead of validating the token immediately when it return from ACS.

    (this is more conceptual question)

    Regarding ACS in case I would like to store the users credentials in some database how would the acs be able to integrate with that (and generate the token needed accordingly)?

    Thanks!


    Monday, August 19, 2013 12:23 PM
  • Hi,

    Yes, you can send the ACS token to clients, not to the service (unless you're building a passive website such as a pure server side ASP.NET application without AJAX, which is not your scenario). Actually ACS sends the token to the client, please make sure you do the validation on the server side, you share a key with ACS. As long as no one else knows the key, only ACS can generate a valid token sign (HMAC) using the key.

      >> Regarding ACS in case I would like to store the users credentials in some database how would the acs be able to integrate with that (and generate the token needed accordingly)?

    If use ACS is used, we essentially delegate authentication to ACS. So we do not need to, and cannot, store the user credential in own database.

    Best Regards,

    Ming Xu


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Wednesday, August 21, 2013 8:16 AM
    Moderator
  • I want to clear some concept about ACS which is a bit confusing to me.

    Regarding security token:

    1. In case i would like to store user credentials in some place and generate token based on the user credentials how could ACS help me with that ?

    2. Is their a way to populate ACS with usernames and passwords to create the tokens ?

    3. In case the user is authenticated against Facebook does ACS send  a request to Facebook and they generate the security token or ACS generates the token ?

    4. I am a bit familiar with WIF (windows identity framework) how does that integrate with ACS

    5. Can i use active directory (azure version) to store the users credentials with ACS integration ?

    I appreciate if you can also refer me to some documentation on the the authentication flows of ACS with its various offering.

    Thanks! you for your help I am trying to see the big picture in order to make decision about our architecture 

    Thursday, August 22, 2013 6:30 AM
  • Hi,

    I'd like to point out that ACS supports 2 authentication modes. It can either provides its own authentication (you store username/password or certificate in ACS itself), or it can delegate authentication to a third party STS (such as Facebook or your own STS). Building your own STS is not a simple task, so it is recommended to use an existing product, such as Windows Azure Active Directory or your on-premises Active Directory Federation Service, in case you don't want to store user credential in ACS itself. Please refer to http://msdn.microsoft.com/en-us/library/aad.aspx to get started.
     
    If ACS works with an external STS (such as Facebook), we don't have much control of the communication with the STS directly. We can get the token issued by ACS, the advantage is we can use the same code to deal with a lot of STS. The disadvantage is the token cannot be used to access additional information from STS (such as Facebook friend list). So usually, use ACS for the purpose of authentication and authorization.
     
    ACS supports both OAuth and WS-Fedration. WIF natively supports WS-Federation. So if you're using ASP.NET or WCF SOAP and thus working with WS-Federation, you can regard ACS as an STS. WIF fits into the picture naturally. You can check http://msdn.microsoft.com/en-us/library/windowsazure/gg185912.aspx for a sample.
     
    If you're working with HTML 5 or mobile apps, then you may want to use OAuth. OAuth is much simpler than WS-Federation, so even without WIF, it won't take too much effort to use ACS in your applications. Please refer to http://blogs.msdn.com/b/alikl/archive/2010/11/13/windows-phone-7-and-restful-services-delegated-access-using-azure-appfabric-access-control-service-acs-and-oauth.aspx for a tutorial.

    Best Regards,

    Ming Xu


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    • Marked as answer by DotNetDev111 Monday, August 26, 2013 10:04 AM
    Thursday, August 22, 2013 3:27 PM
    Moderator
  • Hi DotNetDev111

    Ming's answer is very good, you should try to understand ACS's Athentication.

    And here I list your requirement and try to give you a solution.

    1, Use FaceBook as Identity provide.

    2, Only user login with FB's account, they can use the WCF service.

    3, When user already login to FB, they needn't to redirect to login next time.

    Solution:

    1 configure FaceBook As IDP in your ACS

    2 Create My First Claims-Aware ASP.NET Service Using ACS

     (if you use VS2012 you need to read this

    When you redirect to FaceBook login page, and login with your FB account, FB will provide a Secury token. This security token is some think like this:

    {"appliesTo":"http://localhost:53517/","context":null,"created":1333797749,"expires":1333798349,"securityToken":"&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-16&quot;?>&lt;wsse:BinarySecurityToken wsu:Id=&quot;uuid:825572a4-fc91-4dac-8adf-55c45cf2bd8d&quot; ValueType=&quot;http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0&quot; EncodingType=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot; xmlns:wsse=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;>aHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmbmFtZWlkZW50aWZpZXI9aDYlMmJ3WGxodllCelRzbW5DZm9yTktsMnVTd3FoYVNNbzFxTjRudEdmVGVzJTNkJmh0dHAlM2ElMmYlMmZzY2hlbWFzLm1pY3Jvc29mdC5jb20lMmZhY2Nlc3Njb250cm9sc2VydmljZSUyZjIwMTAlMmYwNyUyZmNsYWltcyUyZmlkZW50aXR5cHJvdmlkZXI9dXJpJTNhV2luZG93c0xpdmVJRCZBdWRpZW5jZT1odHRwJTNhJTJmJTJmbG9jYWxob3N0JTNhNTM1MTclMmYmRXhwaXJlc09uPTEzMzM3OTgzNDkmSXNzdWVyPWh0dHBzJTNhJTJmJTJmYXp1cmVmaWxldXBsb2FkLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQlMmYmSE1BQ1NIQTI1Nj1xNGh4c0RpUDEzUWszT1h0bVdSSURwJTJmMkwxb2pDaWZGTGxPJTJiVFpxUVNkVSUzZA==&lt;/wsse:BinarySecurityToken>","tokenType":"http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0"}

    The string with bold is a 64based string.(you can try to deserializtion it yourself)

    If you add STS reference to your project, it will auto deserialization this string, convert them to claims.

    You can use the user name and SWT ,  then you can refer to the link in my first post.

    For a better understanding, I suggest you read this article:

    http://blogs.msdn.com/b/alikl/archive/2011/09/12/obtaining-swt-security-token-from-windows-azure-appfabric-acs-in-wpf-application-using-webbrowser-control.aspx

    try to understand every step.


    Please mark post as answered if it helped!

    Thursday, August 22, 2013 4:50 PM
  • Ming that's an excellent answer.

    I got 2 question to vivid my requirements:

    1. Can ACS integrate with SQL Azure or SQL Server (running on dedicated azure VM Role)
      besides the option of using Azure active directory or storing the user credentials in ACS itself
    2. In case I would like to store my users credentials in ACS how can I do that by commands/API ?
      (only saw the management portal option)

    By the way we are not planning external STS integration ( such as Facebook windows live id etc...) with our service rather than handling our own users management.

    Thanks You!

     
    Sunday, August 25, 2013 6:11 AM
  • Hi,

    It's always our pleasure to try our best to provide suggestions. Based on my experience, ACS is used to protect services (either SOAP or REST), but not databases. SQL Server has its own username/password. However you can build a service (such as an OData service) on top of SQL Azure/Server, and then you can use ACS to protect the service. Users will not interact with database directly. Instead, they use your service.
     
    Here, you can refer to http://www.corradin.net/index.php/2013/01/invoking-the-acs-management-service-programmatically/ for a sample on how to programmatically manage ACS.

    Best Regards,

    Ming Xu


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, August 26, 2013 8:32 AM
    Moderator