Security Token Service
The Key Bridge Security Token Service (STS) provides standardized methods to
Generic security token service actor model. Dotted items are external
A security token service identifies an actor. It does this by issuing electronic tokens that an actor may use to identify himself when accessing a service. Tokens issued by the STS assert the actor's identity, and a relying party may (or may not) trust the STS assertion.
Note that establishing actor identity and accessing relying party services are outside the scope of the STS.
Use cases
In its simplest form the token is merely a convenient substitute for a username plus password. In more complex configurations, the STS enables delegation of authority, trusted identity management, and federated authentication plus authorization. In more typical configuration an actor configures a client to access a service on the actor's behalf. This process is called delegation.
STS concepts
A Security Token Service (STS) is a service capable of validating security tokens provided to it and issuing new security tokens in response, which enables clients to obtain appropriate access credentials for resources in heterogeneous environments or across security domains. Web Service clients have used WS-Trust [WS-Trust] as the protocol to interact with an STS for token exchange. While WS-Trust uses XML and SOAP, the trend in modern Web development has been towards RESTful (Representational State Transfer) patterns and JSON. The OAuth 2.0 Authorization Framework RFC6749 and OAuth 2.0 Bearer Tokens RFC6750 have emerged as popular standards for authorizing third-party applications' access to HTTP and RESTful resources. The conventional OAuth 2.0 interaction involves the exchange of some representation of resource owner authorization for an access token, which has proven to be an extremely useful pattern in practice. However, its input and output are somewhat too constrained to fully accommodate a security token exchange framework.