Hi,
Is there much of a story/any guidelines around authentication yet in Astoria? I've got an embryonic idea about a potential use for Astoria and it will definately require the user to authenticate themselves. I'm also pondering enabling the user to authenticate themselves via Windows Live ID. Will this be possible on an Astoria service do you think?
Thanks
Jamie
Hi Jamie,
The CTP we shipped last May did not include a fully-baked security story. It had minimal support for authorization, but not an appropriate level of implementation and guidance for building production applications.
If you want to explore the space, for authentication you can use any ASP.NET authentication mechanism. All Astoria does is checks out the current principal from the request. From the authorization perspective, you can read some details in the "Using Astoria" doc, and also some notes in this blog entry:
http://blogs.msdn.com/pablo/archive/2007/05/21/security-in-data-services.aspx
It's still early in the design process, so we have work to do there. If you have specific scenarios in mind around security, I'd love to hear about them.
Pablo Castro
Technical Lead
Microsoft Corporation
Hi Pablo,
Thanks for the reply.
When I have a proper use case fleshed out I'll be sure and let you know. At the moment this is speculative.
At the moment I can't even create the damned EDM 
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1838828&SiteID=1
Thanks
Jamie
Pablo,
Is there any chance that at some point you will be supporting custom parameters to the Astoria URL? This way we could pass something like ?authToken=aaaabbbbccccdddeeeffff and then we could write a handler for the authentication token?
Hi Kevin,
Actually, you can do that today. If you pass in extra parameters we'll ignore them if I remember correctly. I don't know if we'll keep that behavior exactly like that in future iterations, but in the current CTP bits it should work...
For example, this URI works fine:
http://astoria.sandbox.live.com/northwind/northwind.rse/Customers?$take=2&foo=bar
Pablo Castro
Technical Lead
Microsoft Corporation
I really think that this would be a great area for Microsoft to step up and offer guidance on WCF security. Following in the footsteps of the asp.net membership API the trustworthy computing initiative this is something that Microsoft could off that developers would be able to jump on and kick start their development.
I would think that following the model similar to the Flickr API with both a developer key and user authentication would be ideal.
