There's a Dynamic CRM instance on a server ("on-premises"). It will be used by a few sites that run on distant machines (another domain, another Active Directory). The communication between those sites and the CRM instance is done via a CRM proxy, a WCF service that sits near it (near CRM), handles requests, queries CRM etc.
That WCF service is facing the Internet. Although secured communication channels aren't that necessary, authentication is. We cannot let random clients to use the services provided by the CRM proxy.
So, Authentication Service (cookies?) / hand-coded token passing (as a parameter for each service operation) / this solution - on stackoverflow.
Thank you in advance!
PS: hand-coded tokens would be "time-sensitive" and hashed a few times with some secret keys. Man-in-the-middle might not be such a big problem, as a token can be invalidated after a request.