- A SecurityKeys property, to access the keys associated with this token.
- Two properties, ValidFrom and ValidTo, with the token’s validity period.
- A couple of methods for creating and matching key identifiers.
Most of the functionality related to security tokens is associated with three classes:
- SecurityTokenProvider abstract class – Defines the interface for the creation of security tokens, i. e., for token factories. Typically, there is one concrete derived class for each token type (e. g. X509SecurityTokenProvider).
Instances of classes derived from this one are used by the security protocol channel, at the message originator side, to create the tokens that are attached to the sent messages.
- SecurityTokenSerializer abstract class – Defines the interface for serialization/deserialization into/from XML (XmlWriter/XmlReader) of token instances. The majority of token types are handled by the concrete WSSecurityTokenSerializer class.
Instances with this type are used both at the message originator side and at the message recipient side.
- SecurityTokenAuthenticator abstract class – Defines the interface for token verification and also for extracting the token’s claims. Typically, there is one concrete derived class for each token type (e. g. X509SecurityTokenAuthenticator).
Instances with this type are used by the security protocol channel, at the message recipient side, to validate and extract the claims from the tokens attached to the received messages.
The figure below shows these classes, with some members hidden for legibility.
How are the provider/serializer/authenticator instances created?
The WCF runtime uses an object with type SecurityTokenManager (abstract class) to create a provider/serializer/authenticator instance, via the methods:
- public abstract SecurityTokenProvider CreateSecurityTokenProvider(
public abstract SecurityTokenSerializer CreateSecurityTokenSerializer( SecurityTokenVersion version )
public abstract SecurityTokenAuthenticator CreateSecurityTokenAuthenticator( SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver )
How is the SecurityTokenManager instance created?
Note that the ClientCredentials and ServiceCredentials classes hold the security configuration settings. These settings are reflected on the used token provider/serializer/authenticator via the chain of factories
- ClientCredentials and ServiceCredentials creates SecurityTokenManager
- SecurityTokenManager creates SecurityToken[Provider|Serializer|Authenticator]