Scenario:

1. I have an ASP.NET MVC 2 site using ASP.NET Forms Authentication.

2. The site includes a Silverlight 4 application that needs to securely call internal web services.

3. The web services also need to be publically exposed for third party authenticated access.

Challenges:

1. Securely accessing webservices from Silverlight using the current users identity without requiring the user to re-login in in the Silverlight application.

2. Providing a secure way for third party applications to access the same webservices the same users credentials, ideally with out using ASP.NET Forms Authentication.

Additional details and limitations:

1. This application is hosted in Azure.

2. We would rather NOT use RIA Services if at all possible.

Solutions Under Consideration:

1. I think that if the webservices are part of the same MVC site that hosts the Silverlight application then forms authentication should probably "just work" from Silverlight based on the users forms auth cookies. But this seems to rule out the possibility of hosting the webservices seperately (which is desirable in our scenario).

2. For third-party access to the web services I'm guessing that seperate endpoints with a different authenication solution is probably the right answer, but I would rather only support one version of the services if possible...

Questions:

1. Can anybody point me towards any sample applications that implements something like this?

2. How would you recommend implementing this solution?