I've recently worked on a project where a WCF service was involved, and a wsHttpBinding was used for authentication. A third party consuming the service with PHP complained that this approach didn't work out of the box in PHP and that it wasn't interopable enough (they preferred a RESTful approach, passing credentials with GET..)
I've never consumed a service with PHP, does their argument hold any water?
To expand:
Not being able to get something working out of the box in your language/environment isn't necessarily a good argument for lack of interopability and I'm not really convinced by them. I'm curious how interopable it is on a broader scale though, as I want my service to be easily consumable not just by .NET clients.
Additional note:
I use TransportWithMessageCredential, the credentials are verified IN the service, and not by IIS. What is the preferred way of supplying credentials to a RESTful service in this manner? (should this be a separate question?). I'm just wondering if it even IS a viable alternative in this scenario.
It's true that REST is very easy to implement on a wide range of programming platforms and operating systems (including, for instance, PHP on a Linux box, which is a very common setup).
WS-Security, as an extension to SOAP, is a standardized protocol and there exist implementations for other platforms than .NET. However, the range of free libraries here is very limited (for PHP, I don't know any) and it surely means more effort to connect to a WS-Security service than to a simple REST service, at least if the service uses protocol features that go beyond the scope of plain SOAP.
One more thing: HTTP has authentication support built in, so you can absolutely implement an authenticated RESTful service without adding credentials to the requested URL.