WCF REST based services authentication schemes
Posted
by FlySwat
on Stack Overflow
See other posts from Stack Overflow
or by FlySwat
Published on 2010-04-05T01:17:20Z
Indexed on
2010/04/05
1:23 UTC
Read the original article
Hit count: 356
I have a simple authentication scheme for a set of semi-public REST API's we are building:
/-----------------------\
| Client POST's ID/Pass |
| to an Auth Service |
\-----------------------/
[Client] ------------POST----------------------> [Service/Authenticate]
|
/-------------------------------\
| Service checks credentials |
[Client] <---------Session Cookie------- | and generates a session token |
| | in a cookie. |
| \-------------------------------/
|
[Client] -----------GET /w Cookie -------------> [Service/Something]
|
/----------------------------------\
| Client must pass session cookie |
| with each API request |
| or will get a 401. |
\----------------------------------/
This works well, because the client never needs to do anything except receive a cookie, and then pass it along. For browser applications, this happens automatically by the browser, for non browser applications, it is pretty trivial to save the cookie and send it with each request.
However, I have not figured out a good approach for doing the initial handshake from browser applications. For example, if this is all happening using a AJAX technique, what prevents the user from being able to access the ID/Pass the client is using to handshake with the service?
It seem's like this is the only stumbling block to this approach and I'm stumped.
© Stack Overflow or respective owner