Is It possible to maintain single oauth authorization code shared between WEB API and WCF web services?

Question

A NEW Project with ASP NET web API uses oAuth Authorization implemented with Owin Security and ASPNET Identity (Enabled Authentication with Individual User Accounts when you create a fresh new WEB API project).

An Old WCF Services does not use such approach for user authentication, a simple DB query was fired to identify the user.

Now to support SOAP protocol, possible only with WCF services, we need WCF Services to share same authentication mechanism as the ASP.NET REST Web API using.

Goal here is: Maintain only one code to authenticate and authorize the user. Same code will be shared between WCF webservices and WEB API developed with .NET Framework 4.8 and written in C#.

Things I tried:

1. Redirect from REST WEB API to SOAP WCF Web Service. which failed because SOAP WCF call is POST call and only GET redirects are possible (Please correct me if I am wrong)
2. Verify the Hash Password from WCF service and Authorize the user for making soap request. The Client request is not the same as REST request as Bearer Auth token is missing in WCF web service and also user credentials are passed as base64 are not the secure way.
3. Windows Basic Authentication at IIS level that may need too many windows users.

What are the best practices to be considered for the solution of above question?

If the solution is long, sharing some reference links would help.

Answer 1

Hi @Piyush Meshram ,

Something you need to know is that SOAP and REST API are different. Though both of them are the methods of communication between application, REST and SOAP cannot be directly compared. REST can be set to implement differently from project to project while SOAP is a well defined and standardized protocal for data exchange.

REST do not have a well defined security protocal but Json Web Tokens are the most common method of authenticating and authorizing requests. There is no defined standard for building REST. So developers can custom any headers, cache and cookie according to their needs.

On the other hand, SOAP is a protocal for data exchange. It's strengths lie in that it has a certain set of rules and standards that must be obeyed for successful client/ server interactions.
A SOAP request envelope generally consists of an optional header and a required body attribute. The header attribute is used for information such as security credentials and other metadata while the body attribute is used to handle the actual data and any errors that arise. In another word, SOAP uses XML for transeferring payload data. Different with REST.

About your questions:

we need WCF Services to share same authentication mechanism as the ASP.NET REST Web API using.

It is possible to achieve. You can use Asp.net identity to authentication and authorization in WCF service. This is a simple tutorials about how to use asp.net identity in WCF. Asp.net identity also can be used in asp.net web api project.(Enabled Authentication with Individual User Accounts when you create a fresh new WEB API project).

Same code will be shared between WCF webservices and WEB API developed with .NET Framework 4.8 and written in C#.

This is impossible. REST and SOAP use different data format to transfer and communicate. You need to write two code. One for dealing with Json and another one for dealing with XML.

If one of your needs is allow users which have authenticated in REST can communicate with WCF, set cookie after user login and configure WCF accept cookie.

---

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Bruce Zhang

Answer 2

See docs for implementation of bearer tokens in wcf

https://learn.microsoft.com/en-us/dotnet/framework/wcf/samples/token-authenticator