WCF: Authentication Service or token-based security?

Hand-coded token passing is not very elegant. It pollutes your method signatures and makes you duplicates checks all over the place.

If you are able to distribute credentials to your service clients, or pass in credentials that they already use for your system, then I suggest using message security with a custom username & password validator.

The steps to implement it are simple enough. You only need to implement a UserNamePasswordValidator:

A short configuration summary from the linked article:

Specify the security mode in your binding:

<security mode="Message">
    <message clientCredentialType="UserName"/>
</security>

In your service behavior add:

<serviceCredentials>
    <userNameAuthentication 
        userNamePasswordValidationMode="Custom" 
        customUserNamePasswordValidatorType="YourFullUserNameValidatorType"/>
</serviceCredentials>

Then clients just need to set their credentials directly on the service proxies. So they're not passed in service operations.

serviceClient.ClientCredentials.UserName.UserName = "username";
serviceClient.ClientCredentials.UserName.Password = "password";

Your UserNamePasswordValidator will get these credential for each service operation call and you will have the chance to validate them against your credentials store.

However, for more security, you could look into certificate authentication. It's more reliable and you are not required to buy a cert from a CA. If you can also setup yourself as a CA on the client computers, then your good to go. It's appropriate especially because you only have a few clients, so they would be easy to manage.

For the question above the preivous answer is good enough. However, I want to suggest another approach: Custom Token Authentication.

It is more poweful by giving a possibility to create/support Custom Service Credentials which are created based on the authentification token (UserName).

In my case I have encrypted access token which holds all needed information for the access: user name, user groups (authorization information), validation period, ect.

In your case it can be UserName & Password. The Credential will hold the information about your user and can be used later on in the code.

See the following link for implementing Custom Token Authentication: https://docs.microsoft.com/en-us/dotnet/framework/wcf/samples/token-authenticator