WCF: Authentication Service or token-based security?

Question

There\'s a Dynamic CRM instance on a server (\"on-premises\"). It will be used by a few sites that run on distant machines (another domain,

Answer 1

Hand-coded token passing is not very elegant. It pollutes your method signatures and makes you duplicates checks all over the place.

If you are able to distribute credentials to your service clients, or pass in credentials that they already use for your system, then I suggest using message security with a custom username & password validator.

The steps to implement it are simple enough. You only need to implement a UserNamePasswordValidator:

A short configuration summary from the linked article:

Specify the security mode in your binding:

In your service behavior add:

Then clients just need to set their credentials directly on the service proxies. So they're not passed in service operations.

serviceClient.ClientCredentials.UserName.UserName = "username";
serviceClient.ClientCredentials.UserName.Password = "password";

Your UserNamePasswordValidator will get these credential for each service operation call and you will have the chance to validate them against your credentials store.

However, for more security, you could look into certificate authentication. It's more reliable and you are not required to buy a cert from a CA. If you can also setup yourself as a CA on the client computers, then your good to go. It's appropriate especially because you only have a few clients, so they would be easy to manage.