I am making a site from the WCF REST Service Template 40(CS) from the VS 2010 online templates. It works great but I need to secure it.
I need to support windows, linux, and iPhone apps so REST + oAuth seems like a good solution but I don't know where to start.
Basically I need to resolve username/passwords(to hash of course) to my database like traditional forms auth.
OAuth doesn't transmit a user name / password. OAuth sends an OAuth header inside of the HTTP Auth header. Your service will need to pull this out and then test it to make sure it is valid.
The OAuth header will have in it a bunch of values (timestamp, consumer_key, nonce) unencrypted. You can take these unencrypted values and use the unencrypted key to look up the secret key that your service will use to encrypt those same values with and make sure it matches the signature that is also included in the OAuth header. If your generated signature matches the signature included in the OAuth header, then you know that the HTTP request is good. Then you can take the consumer key out of the header and use it to look up the username if you need to.
See my post here. Bear in mind that there are several good libraries to make all of this easier, like DotNetOpenAuth.