question

PiyushMeshram-2335 avatar image
0 Votes"
PiyushMeshram-2335 asked BruceZhang-MSFT commented

Is It possible to maintain single oauth authorization code shared between WEB API and WCF web services?

A NEW Project with ASP NET web API uses oAuth Authorization implemented with Owin Security and ASPNET Identity (Enabled Authentication with Individual User Accounts when you create a fresh new WEB API project).

An Old WCF Services does not use such approach for user authentication, a simple DB query was fired to identify the user.

Now to support SOAP protocol, possible only with WCF services, we need WCF Services to share same authentication mechanism as the ASP.NET REST Web API using.

Goal here is: Maintain only one code to authenticate and authorize the user. Same code will be shared between WCF webservices and WEB API developed with .NET Framework 4.8 and written in C#.

Things I tried:

  1. Redirect from REST WEB API to SOAP WCF Web Service. which failed because SOAP WCF call is POST call and only GET redirects are possible (Please correct me if I am wrong)

  2. Verify the Hash Password from WCF service and Authorize the user for making soap request. The Client request is not the same as REST request as Bearer Auth token is missing in WCF web service and also user credentials are passed as base64 are not the secure way.

  3. Windows Basic Authentication at IIS level that may need too many windows users.


What are the best practices to be considered for the solution of above question?

If the solution is long, sharing some reference links would help.

windows-server-iis-generaldotnet-aspnet-core-webapiwindows-wcf
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered

See docs for implementation of bearer tokens in wcf

https://docs.microsoft.com/en-us/dotnet/framework/wcf/samples/token-authenticator

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BruceZhang-MSFT avatar image
1 Vote"
BruceZhang-MSFT answered BruceZhang-MSFT commented

Hi @PiyushMeshram-2335 ,

Something you need to know is that SOAP and REST API are different. Though both of them are the methods of communication between application, REST and SOAP cannot be directly compared. REST can be set to implement differently from project to project while SOAP is a well defined and standardized protocal for data exchange.

REST do not have a well defined security protocal but Json Web Tokens are the most common method of authenticating and authorizing requests. There is no defined standard for building REST. So developers can custom any headers, cache and cookie according to their needs.

On the other hand, SOAP is a protocal for data exchange. It's strengths lie in that it has a certain set of rules and standards that must be obeyed for successful client/ server interactions.
A SOAP request envelope generally consists of an optional header and a required body attribute. The header attribute is used for information such as security credentials and other metadata while the body attribute is used to handle the actual data and any errors that arise. In another word, SOAP uses XML for transeferring payload data. Different with REST.

About your questions:

we need WCF Services to share same authentication mechanism as the ASP.NET REST Web API using.

It is possible to achieve. You can use Asp.net identity to authentication and authorization in WCF service. This is a simple tutorials about how to use asp.net identity in WCF. Asp.net identity also can be used in asp.net web api project.(Enabled Authentication with Individual User Accounts when you create a fresh new WEB API project).

Same code will be shared between WCF webservices and WEB API developed with .NET Framework 4.8 and written in C#.

This is impossible. REST and SOAP use different data format to transfer and communicate. You need to write two code. One for dealing with Json and another one for dealing with XML.

If one of your needs is allow users which have authenticated in REST can communicate with WCF, set cookie after user login and configure WCF accept cookie.



If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Bruce Zhang




· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Correction:

Same Authentication code will be shared between WCF webservices and WEB API developed with .NET Framework 4.8 and written in C#.

Is it possible to create .Net library to maintain JWT bearer token authentication related code and call it in WCF and REST Web API?

I have already written a code in Web API project as I have mentioned earlier which I would like to move it to library in such a way that WCF can also use it without re-writing the whole logic and maintain authentication logic, code separately (like JWT access token, expiry, renewal, roles etc) inside a library.


I want to maintain this "already written oAuth logic" in one place and use it in WCF web services and Web API project with just "[Authorize]" decorator.

the XML and JSON web services and web APIs part comes after that which will be written separately as they both serve different purpose, which is understood.






0 Votes 0 ·

Hi @PiyushMeshram-2335 ,

Yes, it is possible. JWT is also suit for WCF service. Microsoft created a NuGet package for handling JWT in WIF System.IdentityModel.Tokens.Jwt.

0 Votes 0 ·

I have started working on it and
I don't think it is possible to use this library (System.IdentityModel.Tokens.Jwt) in WCF for shared code scenario. If so then I can also use one of the following libraries in WCF as well right?

refer the used by section here: https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/
132998-image.png


Can I use OWin in WCF?

I am stuck here:




"AuthenticationTicket" param requires reference to Owin package, Protect method will take Authentication Ticket as input and return signed JWT token, as Authentication Ticket was already referring to owin in web api code. I want to share this but stuck here can't go forward. Hope you understand my problem I am facing here, Any suggestions?

0 Votes 0 ·
Show more comments