Authentication in WP7 client with REST Services–Part II

In the previous post I covered the “semi-passive” way for authentication between a Windows Phone 7 client and a REST service. This post completes the information with the “active” way.

There’s nothing unexpected here really:

1. We call the Identity Provider using a RequestSecurityToken message (RST)
2. We send the SAML token to ACS and get a “Simple Web Token” (SWT)
3. We call the service with the SWT as in the previous example using the Web browser

The only tricky thing is that there’s no library in the phone runtime for sending the RST message to the STS. In a desktop application you’d simply use WIF or plain WCF (with the right binding). But neither is available on WP7. So step 1 and 2 require some custom code.

For step 1 we are creating the RST manually:

All those interactions are fairly easy to compose with the Rx framework, so the call gets really compact and easy to read:

The AddAuthorizationHeader extension method now:

All this is “plumbing code” that is written once and used many hopefully.

One potential disadvantage of this approach compared to the previous one, is less flexibility in dealing with many identity providers. Remember that ACS can have many IdPs it could use and have the user potentially pick one from a list (a.k.a. Home Realm Discovery). None of that is built in this example (but you could of course). In a browser all of that is handled server side and just works.

The other disadvantage is that this only works with WS-Trust STSs. If we wanted to say, authenticate with other providers you will have to implement the protocol and then update the client code. When using the browser all of that is handled server side. You can add/remove/take advantage of any upgrades to ACS with no changes to be made on the phone app.

On the other hand, if you don’t need all that flexibility, it is a lighter weight and more direct solution: less round-trips, simpler code, etc. That could be case for a more enterprise oriented app, where the STS could be your corporate ADFS for example. That is unlikely to change frequently.

We are still adjusting some details on the full sample, but it is very likely it will be included in the next drop on CodePlex site.