Silverlight and WCF Authentication Issues

Welcome to a new post of “My Adventures in SIlverlight” series. In this post I’ll try to outline a few caveats I found while trying to communicate a Silverlight ciient application and a WCF provider service.

The Basics

As we mentioned earlier, Silverlight only recognizes basicHttpBinding protocol. It means that it cannot use web service extensions for authentication, unlike standard ASP.NET applications. Furthermore, as Silverlight is a platform-agnostic technology, it cannot use Windows authentication neither. In an enterprise environment, this is a serious handicap.

The Alternatives

Alternative #1: Non-Authenticated Service + Username + Secret Value

You can use a non-authenticated service as a endpoint for a Silverlight client to connect to. Inside the method call, insert the username and a secret value only known to both the client application and the server. This secret value should act as a second check (the first is the username) for the service.

It’s not flawless, thought, but it should be considered.

Alternative #2: Implicit Authentication

If your Silverlight application runs in the same IIS site as the service it’s trying to consume, and this requires authentication, then you can forfeit the authentication code. Silverlight can consume a secured web service without authentication as long as the service and Silverlight client application are in the same IIS site.

2 thoughts on “Silverlight and WCF Authentication Issues”

  1. Phew, Alternative #2 might just save my day. Do you have more info on how this works? By same IIS site, do you mean the same Application (or virtual directory in 2003)? Do I just turn off Anonymous access on the web application?

    Thanks.

    KK
    kingkong88@gmail.com

    Reply

  2. Hi, S/360

    the alternative #2 means that a IIS web site or virtual directory is a authentication boundary. Once authenticated in your ASP.NET application, you can consume data from a service hosted in the same application with your Silverlight client. It won’t cause the authentication to be triggered because the request comes already authenticated by ASP.NET. Of course, Silverlight remains blissfully ignorant of that fact.

    Reply

Leave a Reply to S/360 Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.