Home/ Questions/Q 6204533
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T05:06:38+00:00

I am trying to implement a custom SecurityToken and SecurityTokenHandler for a STS using

  • 0

I am trying to implement a custom SecurityToken and SecurityTokenHandler for a STS using Microsoft.IndentityModel (= Windows Indentity Foundation).

The token is serialized to a simple xml document with signature (using a X509 certificate) and is sometimes (not always) encrypted (depends on the target realm).

Till now it worked quite well, but i got stuck on SecurityTokenHandler.CreateSecurityTokenReference(SecurityToken token, bool attached) which should return a SecurityKeyIndetifierClause.

My question is: What is a SecurityKey, SecurityKeyIndentifier and SecurityKeyIndentifierClause in general and for my sceanrio (rsa signed (and encrypted) xml token) in specific?

There is almost no documentation in MSDN and I couldn’t find anything else helpful on this topic.

Thanks in advance.

P.S.: I know the easiest and recommended way is to use a build in token format like saml, but the token is evaluated by a legacy system which expects a specific format i have no influence on.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In the meantime I found answers to the questions my self:

    SecurityKey

    A SecurityKey is used for cryptographic operations. This is not needed by bearer token implementations. Therefore you can just return an empty list in the corresponding property of the SecurityToken:

    public override ReadOnlyCollection<SecurityKey> SecurityKeys
{
    get { return new List<SecurityKey>().AsReadOnly(); }
}

    SecurityKeyIdentifierClause

    As already pointed out by the other answer a SecurityKeyIdentifierClause is kind of the unique identifier of a security token. It is used by a SecurityTokenResolver to return the corresponding SecurityToken for a specified SecurityKeyIdentifierClause.

    Probably the best solution for your own SecurityTokenHandler implementation is to return a LocalIdKeyIdentifierClause with the id of your token as localId parameter:

    public override SecurityKeyIdentifierClause CreateSecurityTokenReference(SecurityToken token, bool attached)
{
    if (token == null)
        throw new ArgumentNullException("token");

    return new LocalIdKeyIdentifierClause(token.Id);
}

    SecurityKeyIdentifier

    A SecurityKeyIdentifier is a collection of SecurityKeyIdentifierClauses. When ever needed you can use the implementation in System.IdentityModel.Tokens here. There is usually no need to take care of this by your self.

    • 0