What should we implement to authorize clients to use our web service?

Question

We have a web service that we will be hosting on a public web server and it will be contacted by web services hosted on web servers within the walls of a hospital. We have writ

Answer 1

Could you use something like Basic Authentication over https to provide username password challenging? I believe the Microsoft SOAP supports it fairly well. You pretty much just use IIS to configure basic auth (must use SSL), and in your C# just pass ICredentials to your proxy.

From googling, it looks like other languages support basic auth over SOAP too.

Answer 2

You probably want to use something like OAuth:

http://oauth.net/

You can then use it with WCF to provide an endpoint.

From there, you would want to map the claims to an internal id for the customers (you would have to determine what this mapping is).

This way, you don't have to rely on issuing anything to anyone, all you have to do is create the mapping based on the claims sent to you.

Answer 3

Client certificates can be used to provide credentials from a caller to your webservices; it's not that hard to take the passed cert and do any additional evaluation to dictate what that cert has visibility into.