STS overview

A Security Token Service (STS) is originally described in the WS-Trust and WS-Federation protocols to build, sign, and issue security tokens. Under WS-Trust a token issuing authority uses a STS to

  • accept incoming requests,
  • validate and decrypt incoming security tokens,
  • extract claims from the incoming tokens,
  • package claims into outgoing security tokens,
  • encrypt and then
  • deliver outgoing security tokens.

WS-Trust and dependent standards are rich and nuanced specifications that support SOAP-based web services. This application implements specifications developed within the IETF OAuth working group that provides (most) WS-Trust capabilities and features via REST + JSON protocols (as opposed to SOAP + XML).

sts actors Generic security token service actor model. Dotted items are external

The security token service provides standardized methods to

  • register a client; and
  • issue a token to a client; and
  • inspect a token by a client (or relying party); and
  • revoke a token by a client.

Note that establishing actor identity and accessing relying party services are outside the scope of the STS.

Use cases

The security token service identifies an actor by issuing electronic tokens that an actor may use to identify himself when accessing a service. Tokens issued by the STS assert the actor's identity, and a relying party may (or may not) trust the STS assertion.

In its simplest form the token is merely a convenient substitute for a username plus password. In more complex configurations, the STS enables delegation of authority, trusted identity management, and federated authentication plus authorization. In more typical configuration an actor configures a client to access a service on the actor's behalf. This process is called delegation.

STS concepts and background

A STS is capable of validating security tokens provided to it and issuing new security tokens in response, which enables clients to obtain appropriate access credentials for resources in heterogeneous environments or across security domains.

Web Service clients have used WS-Trust as the protocol to interact with an STS for token exchange.
WS-Trust uses XML and SOAP, while the trend in modern Web development has been towards RESTful (Representational State Transfer) patterns and JSON. Many (but not all) of the WS-Trust features are replicated in the OAuth 2.0 Token Exchange specification, which enables security token exchange in a secure and standardized manner using REST + JSON.

2.1.0-240506_1433 © Key Bridge Wireless All rights reserved. Unauthorized access prohibited