1

I am developing a rest WCF web services in which my client will call the service using HTTP. User will be authenticated by using Username and Password (Basic Authentication) I have the following questions in my mind.

1. How can I secure my Username and Password? While searching in the internet, many suggested to use HTTPS/OAUTH/OPENID. I felt the following are the conflicts of using any of this

  • OAUTH/OPENID-> This requires the 3rd party to authenticate my user. What if I store the user details only in my system?? Is there is anyway where I can implement oAuth in such a functionality? Based on my assumption. OAuth uses Token to authenticate the user, How Middle Man attack could be avoided here. Say what if the attacker gains the token or What if he gains the whole URL- Can you made the request to the server?
  • HTTPS: Based on many reviews in the Internet, this is the best. I am pretty sure HTTPS will secure the data transfer between the client and server, But I wanted to know does it secure the URL as well (Where we store our username and password).??

.

Joe 89
  • 850
  • 1
  • 12
  • 30
  • 1
    Username and Password in the URL just seems to be a security failure whatever else you do – URLs go into logs etc. Less bad to put them in the body (better: use digest authentication; best: oauth etc.). In all cases use HTTPS (it is hard to justify any API then needs authentication not being all HTTPS today, if only for the server verification it gives. – Richard Mar 27 '15 at 08:42

1 Answers1

0

The best way to avoid a man in the middle attack is to use a server with HTTPS and validate the certificate on the client. If you use a browser as client, this will automatically be done for you.

Whether you pass username and password or bearer tokens around, you'll need HTTPS to protect them from being stolen by anyone on the same network.

Sending passwords in every request is a bad idea for a number of reasons which I've described here. I would recommend you look into using bearer tokens in case your service is a WCF REST service or a SAML protected binding if you're using SOAP services.

You don't mention whether your clients will be a web application or native clients or if the service is exposed on the internet or inside corporate firewalls. All these factors influence decisions around security.

OAuth is not the only token based authentication mechanism. For enterprise applications you could look at WS-Federation/WS-Trust and ADFS. Also, the OAuth authorization server does not have to be an external party, you can deploy an authorization server as part of your application.

MvdD
  • 22,082
  • 8
  • 65
  • 93