I am working on an internal test environment in which one of the requirements is the ability to allocate a resource that can be used in the test (for example, allocating a physical PC that will be used as part of the test). This resource runs on the WCF service , and this test talks about this with a proxy.
As part of the structure, I would like to add some level of authorization, where after allocating the resource, the token is retrieved and presented to the service running on the resource and should be checked by the resource service.
We have two main options:
1. * Federated security * - a proxy server that speaks to a resource receives a token from the security token service and presents it to the resource service, which checks it. This is apparently the cleanest solution, but the main problem is the cancellation of the token after the release of the device. One option is to have the token time out several times, and in the worst case, the resource is not used for several minutes, but this is less than ideal.
2. * Check with the token in each call * - in this solution, the resource service uses the token service to verify the token (instead of just checking it with the public key, as in solution No. 1). This solves the recall problem, but it seems like tons of overhead are checking it with a different service for each call.
What do you all think? Which option is better? Is there an option 3 (4,5, etc.)? Thanks!
source share