Token-based authentication is nothing special. It still generally uses HTTP and therefore an HttpWebRequest should work just fine for it. This is how token-based authentication typically happens.

First of all, there are three different parties involved with token or claims-based authentication. The server that is being authenticated to, the client that is authenticating, and a third party, the token provider. Typical authentication only includes a client and a server, but in the case of token-based authentication, there is the token provider. The token provider is known to the client and is trusted by the server.

The authentication process proceeds by the client making an HTTP request to the token provider, asking for the provider to provide a token to the client. Of course, at this point, the client will most likely need to authenticate to the token provider – this is usually done using conventional authentication methods. Assuming the client authenticates to the token provider, the token provider will respond with a token. The client then takes this token and makes a request to the server with the token included. The token has been signed such that the server can tell that the token came from its trusted token provider and what privileges the client should have.

Long story short, HttpWebRequest should be perfectly adequate. The only problem is that you’ll have to know all of the specifics of the server and token provider, such as how the client is supposed to authenticate to the token provider (basic HTTP auth? posted username/password?), how the token provider responds with the token (included in the response? sets cookies?), how the server then expects the client to authenticate using the token (post the token to the server? set a cookie with the token?), etc.