How do I ensure authentic silverlight clients are calling my azure services

How can I be confident that only our silverlight applications are calli开发者_运维问答ng our azure services?

The silverlight client will need to have a user authenticated and have the correct permissions to perform an action but I did not know how application authenticity is commonly implemented on these azure service calls. I know you can sign the application (required for client updates). Is this combined with ssl connections enough? Should I be using a cert at the client?

What are some common approaches to this problem?

---

You can put data inside your message headers. You can do it in the SOAP header when using SOAP or in the HTTP header when using REST. Then when you've done this you can use a secure SSL channel to communicate so people can't sniff out your packages.

http://blogs.msdn.com/b/nathana/archive/2007/05/29/custom-soap-headers-wcf-and-asmx.aspx

When you're using RIA service and you want to add data in the HTTP header then see my blog:

http://strugglesofacoder.blogspot.com/2011/02/normal-0-21-false-false-false-nl-be-x.html

---

Silverlight does not have a way of identifying itself to the service, and even if it does, a little tool called Fiddler will expose all that information for anyone to exploit your services.

You should assume nothing about the client. Your services should perform validation on the incoming requests without trying to determine who/what the client is.

I do hope someone has a solution because I haven't found one yet, and I'd love to secure my services so that only Silverlight can make requests.

---

You could do this using the Access Control Service, there is a nice example on codeplex written by someone of the ACS team:

http://acs.codeplex.com/wikipage?title=ACS%20Windows%20Phone%20Sample&referringTitle=Samples

although it is a windows phone 7 client (which is also silverligh), i think you can distill what you need from it.

---

Silverlight is a tricky beast when it comes to integrating with ACS, it seems that writing to the headers from Silverlight to pass authentication information along is very tricky - there isn't an easy way to intercept the calls to wrap them with the auth header in Silverlight, like you could do in an ASP.NET application.

You can use ACS to get your identifying information to Silverlight by using an approach like this example: http://channel9.msdn.com/Events/MIX/MIX10/SVC01

What I ended up doing is wrapping some unique identifier claim in a SWT token, signed with a key that's known by both Silverlight and the web service, and having the web service verify that that user has access. By placing the unique identifier in a signed SWT token (with an expiration time of a very short amount - to help reduce attacks where folks copy a valid request and send it again at a later time), I could more comfortably believe that the request was truly coming from my Silverlight app.

To pass the token, I just made a class that contains all the parameters I want to pass (that way I didn't have to keep rewriting the function definitions), including the SWT token.

Hope this helps.