How should I handle user identity for a Window Phone / WCF / ASP.NET MVC application?

Question

I\'m working on an application which allows data entry and display from both a Windows Phone application and an MVC 3 web interface. Data access for the phone client is via aut

Answer 1

An alternative to an API Key is to use claims based identity and security tokens. You could use the Windows Azure Access Control Service as a trusted issuer of security tokens, with the value add that it comes pre-configured to use LiveID, Facebook, Google, any OpenID and any WS-Federation identity provider. Both the web site and the web service would trust ACS.

ACS will give you SAML tokens for the web site (allowing your users to login to it with LiveID, Google or FB).

ACS can also issue Simple Web Tokens (SWT), which are especially neat for REST services (assuming the phone client uses that).

You can't use the LiveID associated with the phone in your app, but you can still use LiveID (or any other identity provider). This is an example of how to do it. It uses the common approach of embedding a web browser in the phone app and use to for all security token negotiation.

Using ACS gives you a lot of flexibility without all the complextity. Making a web site "claims aware" and trust ACS is very straight forward. More samples here: http://claimsid.codeplex.com