Token based Authentication for WCF HTTP/REST Services: Authorization

In the previous post I showed how token based authentication can be implemented for WCF HTTP based services.

Authentication is the process of finding out who the user is – this includes anonymous users. Then it is up to the service to decide under which circumstances the client has access to the service as a whole or individual operations. This is called authorization.

By default – my framework does not allow anonymous users and will deny access right in the service authorization manager. You can however turn anonymous access on – that means technically, that instead of denying access, an anonymous principal is placed on Thread.CurrentPrincipal. You can flip that switch in the configuration class that you can pass into the service host/factory.

var configuration = new WebTokenWebServiceHostConfiguration
    AllowAnonymousAccess =

But this is not enough, in addition you also need to decorate the individual operations to allow anonymous access as well, e.g.:

public string

Inside these operations you might have an authenticated or an anonymous principal on Thread.CurrentPrincipal, and it is up to your code to decide what to do.

Side note: Being a security guy, I like this opt-in approach to anonymous access much better that all those opt-out approaches out there (like the Authorize attribute – or this.).

Claims-based Authorization
Since there is a ClaimsPrincipal available, you can use the standard WIF claims authorization manager infrastructure – either declaratively via ClaimsPrincipalPermission or programmatically (see also here).

    Resource =
    Operation =
public ViewClaims
return new ServiceLogic().GetClaims();


In addition you can also turn off per-request authorization (see here for background) via the config and just use the “domain specific” instrumentation.

While the code is not 100% done – you can download the current solution here.


(Wanna learn more about federation, WIF, claims, tokens etc.? Click here.)

This entry was posted in IdentityModel, IdentityServer. Bookmark the permalink.

2 Responses to Token based Authentication for WCF HTTP/REST Services: Authorization

  1. Bhagvan says:

    link to download source code is not working, please provide correct link.

Leave a Reply to Bhagvan Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s