我要建一个应用程序，要求似乎标准问题（至少我）......我已经基于ASP .NET MVC与放一个Web.UI;客户端iPhone，安卓和放大器;黑莓。

I'm building an application where the requirements seem standard issue (at least to me)... I have a Web.UI based on asp .net mvc & clients from iphone, andriod & blackberry.

所以，明智的做法是将我所有的业务逻辑成为一个服务层，可以通过HTTP访问。该服务层必须接受与用户上下文（标识）的请求，并在一些不错的方式执行授权始终不论是哪个客户端的类型正在与它通信（希望？）。

So the sensible thing to do is to move all my business logic into a services layer that can be accesses over http. This services layer must accept requests with a user context (identity) and in some nice way perform authorization consistently no matter which type of client is communicating with it (I hope?).

在一年一去我这样做，采用WIF 3个月演出（Windows标识基础）的混合导通premises和放大器;云架构。我喜欢它。 3事情，引起了共鸣是：（1）外化身份验证，而不是关心它是怎么做，（2）从业务逻辑删除授权逻辑，（3）基于声明的授权。

Over a year a go I did a 3 month gig that employed W.I.F. (Windows Identity Foundation) in a hybrid on-premises & cloud architecture. I liked it. The 3 things that struck a chord were (1) externalizing authentication and not caring how it was done, (2) removing authorization logic from business logic, (3) Claims based authorization.

在过去的一年，我听说过，看所有关于REST服务的新的做事酷嬉皮士的方式。所以，我虽然很大，让我们来试试。之后，我开始玩＆放大器;得到的编码，我开始真的很困惑（以及随后读约10小时昨天没有写C＃的另一条线）。我仍然感到困惑的所有SOAP和REST，WS * VS HTTP，SAML VS SWT潺潺。我真的不希望这个线程是有关，因为有足够的上计算器说话，但我觉得我有两个阵营之间的选择，当它不觉得自己真的要我想一个或其他但是从各个位？

Over the last year I've heard and watch all about Rest Services the 'new cool hippy way of doing things'. So I though great, let's try that. After I started to play around & get coding, I started getting really confused (and subsequently read for about 10 hours yesterday without writing another line of c#). I'm still confused about all the SOAP vs REST, WS.* vs Http, SAML vs SWT babble. I don't really want this thread to be about that because there is enough of that speak on stackoverflow, but I feel like I've got a choice between two camps, when it doesn't really feel like I want one or the other but bits from each?

要我在3点我以上提到的关于WIF似乎并不像概念应与WS *？但我得到的感觉是他们，或者至少是如何WIF来的那一刻，使他们，如果没有一些专家的调整（比如我碰到这个职位只写了前几天 - http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/).

To me the 3 points I mentioned above about WIF don't seem like concepts that should be tied to WS.* ? But I'm getting the feeling that they, or at least how WIF comes at the moment makes them, without some expert tweaking (e.g. I came across this post only written a few days ago - http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/).

在其他领域，我不知道很多关于IS是我的客户端（iPhone，安卓，黑莓）能够与WIF玩，难道是抛出一个SAML令牌给他们同样的STS，他们表现得就像一个浏览器，其传回的，就像任何其他的客户端头？是的，我将不得不找出，但如果这是一个大忌具有WIF，我发现了这张贴直后，那么至少我可以从它集中了。

The other areas I don't know much about is are my clients (iphone, andriod, blackberry) capable of playing with WIF, is it the same STS that throws a SAML token to them and they behave just like a browser and pass it back in a header just like any other client? Yes I'm going to have to find out, but if this is a deal breaker with W.I.F and I find out straight after posting this, then at least I can focus away from it.

最后丢一件事的组合。我真的不想去想任何这一点。我想使用第三方认证/身份提供商 - http://www.janrain.com/products/engage - 我相信使用OpenID的。可这契合到W.I.F.还是我刚刚从OpenID的创建一个新的SAML令牌和使用WIF的那一刻。

Finally to throw one more thing in the mix. I don't really want to think about any of this. I want to use a 3rd party authentication / identity provider - http://www.janrain.com/products/engage - which I believe uses OpenID. Can this fit into W.I.F. or do I just create a new SAML token from the OpenID and use WIF from that moment on.

我想在这乱哄哄的结束，我想回来，我开始了，因为它变得越来越复杂了更多的问题，我要求和更多的选择，我认为。

I guess at the end of this babble, I want to come back to where I started because it's getting more and more complicated the more questions I ask and the more options I consider.

是具有服务层（对WCF），讨论不同non-.net客户要求标识上下文和授权这么奇怪？如果你建立这样的事情，你怎么对待它？

Is having a services layer (on WCF) that talks to different non-.net clients that requires identity context and authorization so strange? If you've build something like this, how did you approach it?

推荐答案

当你有很多的设备，让所有他们的工作相同的解决方案的一种方式，是针对最小公分母。

When you have many devices, one way to get the same solution working across all of them, is to target the lowest common denominator.

假设所有的客户端支持Cookie。这样做的一个方法就是：

Assuming that all your clients support cookies. One way of doing this would:

不太一样优雅的使用SAML令牌，但它确实工作的跨平台/设备。

Not quite as elegant as using SAML tokens, but it does work cross platform / devices.

IPhone支持Cookie http://support.apple.com/kb/HT1675

IPhone supports cookies http://support.apple.com/kb/HT1675

黑莓支持Cookie http://docs.blackberry.com/en/developers/deliverables/11844/feature_cookie_storage_438273_11.jsp

Blackberry supports cookies http://docs.blackberry.com/en/developers/deliverables/11844/feature_cookie_storage_438273_11.jsp