I am trying to implement a custom authentication scheme in my OData WCF service, where the client submits their login credentials to the server, and receives a session token if they are authenticated.
In the OData service, I have a Login method:
[WebInvoke]
public void Login()
{
HttpRequest request = HttpContext.Current.Request;
string user, password;
user = request.Form["User"];
password = request.Form["Password"];
//...
}
which I call from the client using jQuery:
$.ajax({
url: loginUrl,
type: 'POST',
data: JSON.stringify({ User: loginID(), Password: loginPassword() }),
dataType: 'json',
contentType: 'application/json; charset=utf-8'
});
In the browser, I can see that User and Password are present in the POST body.
Stepping through the OData service, the Login() method is being hit, but User and Password are not there - the request.Form is completely empty.
At first, searching found this question, saying that the POST content type needs to be set to application/json instead of application/x-www-form-urlencoded. However, making this change did not solve the problem.
Searching found many SO questions about OData or WCF POST requests being empty, but I eventually found the MSDN page on WCF service operations, which states:
The operation method may only accept input parameters. Data sent in the message body cannot be accessed by the data service.
So according to this, a POST request won't work no matter what. This seems to mean I will have to use a GET request. However, sending the password in a GET request is a bad idea.
Do I need to use "faux" HTTP Basic Authentication, where I pass the credentials in a header, but only for the login call, and not with every request?
Otherwise, what is the proper way to get the login credentials from the client to the OData service?
