There's a Dynamic CRM instance on a server ("on-premises"). It will be used by a few sites that run on distant machines (another domain, another Active Directory). The communication between those sites and the CRM instance is done via a CRM proxy, a WCF service that sits near it (near CRM), handles requests, queries CRM etc.
That WCF service is facing the Internet. Although secured communication channels aren't that necessary, authentication is. We cannot let random clients to use the services provided by the CRM proxy.
So, Authentication Service (cookies?) / hand-coded token passing (as a parameter for each service operation) / this solution - on stackoverflow.
Thank you in advance!
PS: hand-coded tokens would be "time-sensitive" and hashed a few times with some secret keys. Man-in-the-middle might not be such a big problem, as a token can be invalidated after a request.
Hand-coded token passing is not very elegant. It pollutes your method signatures and makes you duplicates checks all over the place.
If you are able to distribute credentials to your service clients, or pass in credentials that they already use for your system, then I suggest using message security with a custom username & password validator.
The steps to implement it are simple enough. You only need to implement a UserNamePasswordValidator
:
A short configuration summary from the linked article:
Specify the security mode in your binding:
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
In your service behavior add:
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="YourFullUserNameValidatorType"/>
</serviceCredentials>
Then clients just need to set their credentials directly on the service proxies. So they're not passed in service operations.
serviceClient.ClientCredentials.UserName.UserName = "username";
serviceClient.ClientCredentials.UserName.Password = "password";
Your UserNamePasswordValidator
will get these credential for each service operation call and you will have the chance to validate them against your credentials store.
However, for more security, you could look into certificate authentication. It's more reliable and you are not required to buy a cert from a CA. If you can also setup yourself as a CA on the client computers, then your good to go. It's appropriate especially because you only have a few clients, so they would be easy to manage.