Jamie Thomson

Hi,

Is there much of a story/any guidelines around authentication yet in Astoria I've got an embryonic idea about a potential use for Astoria and it will definately require the user to authenticate themselves. I'm also pondering enabling the user to authenticate themselves via Windows Live ID. Will this be possible on an Astoria service do you think

Thanks

Jamie




Re: ADO.NET Data Services (Pre-Release) Authentication in Astoria

Pablo Castro - MSFT

Hi Jamie,

The CTP we shipped last May did not include a fully-baked security story. It had minimal support for authorization, but not an appropriate level of implementation and guidance for building production applications.

If you want to explore the space, for authentication you can use any ASP.NET authentication mechanism. All Astoria does is checks out the current principal from the request. From the authorization perspective, you can read some details in the "Using Astoria" doc, and also some notes in this blog entry:

http://blogs.msdn.com/pablo/archive/2007/05/21/security-in-data-services.aspx

It's still early in the design process, so we have work to do there. If you have specific scenarios in mind around security, I'd love to hear about them.

Pablo Castro

Technical Lead

Microsoft Corporation






Re: ADO.NET Data Services (Pre-Release) Authentication in Astoria

Jamie Thomson

Hi Pablo,

Thanks for the reply.

When I have a proper use case fleshed out I'll be sure and let you know. At the moment this is speculative.

At the moment I can't even create the damned EDM Smile http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=1838828&SiteID=1

Thanks

Jamie






Re: ADO.NET Data Services (Pre-Release) Authentication in Astoria

Kevin Hoffman

Pablo,

Is there any chance that at some point you will be supporting custom parameters to the Astoria URL This way we could pass something like authToken=aaaabbbbccccdddeeeffff and then we could write a handler for the authentication token






Re: ADO.NET Data Services (Pre-Release) Authentication in Astoria

Pablo Castro - MSFT

Hi Kevin,

Actually, you can do that today. If you pass in extra parameters we'll ignore them if I remember correctly. I don't know if we'll keep that behavior exactly like that in future iterations, but in the current CTP bits it should work...

For example, this URI works fine:

http://astoria.sandbox.live.com/northwind/northwind.rse/Customers $take=2&foo=bar

Pablo Castro

Technical Lead

Microsoft Corporation






Re: ADO.NET Data Services (Pre-Release) Authentication in Astoria

web scale

I really think that this would be a great area for Microsoft to step up and offer guidance on WCF security. Following in the footsteps of the asp.net membership API the trustworthy computing initiative this is something that Microsoft could off that developers would be able to jump on and kick start their development.

I would think that following the model similar to the Flickr API with both a developer key and user authentication would be ideal.