Let me introduce you to a little friend called OAuth. OAuth is an open authentication framework designed for use by web service providers allowing you to give access to applications without giving them access to user credentials.
I’ve been working on an OAuth library to turn an ASP.net MVC site into an OAuth Provider (a service that can accept incoming requests from OAuth Consumer applications)
So far it consists of the following:
OAuthController has endpoints for RequestToken and AccessToken http requests.
OAuthSecuredAttribute is an action filter to stop access to an action if the requester isn’t authenticated via OAuth
OAuthService has intermediary services for the attibute and controller for:
- Building an OAuth request (Access, Access Token and Request Token Requests)
- Generating Request Tokens
- Generating Access Tokens
- Getting a saved Request Token
- Authorising a Request Token
OAuthRequest is a state wrapper to quickly examine if the current OAuth Request is valid
You are left to your own devices to implement the following:
IRequestToken Token objects that need to be saved and have a token string and a secret string also have some other elements
IConsumer contracts for consumers of your service, should be able to return a secret key, a TimeStamp of the last request the consumer made (and integer, see the OAuth Specs), a list of valid request/access tokens, save a nonce for current TimeStamp value, determine weather a nonce is valid (hasn’t been used with the current TimeStamp)
ITokenGenerator generate new request and access tokens, setting the secret and token strings
There’s a sample project so people can see how it should be used.
So head over to the project and check it out. oauth-mvc.net
PS. I’m not saying that MVC is the best way to build services, just that it’s the framework I needed to use, Alex Henderson has done some work on using OAuth with WCF projects