SecurityTokenHandler Class

.NET Framework 4.5

The abstract base class for security token handlers.

Namespace:  System.IdentityModel.Tokens
Assembly:  System.IdentityModel (in System.IdentityModel.dll)

public ref class SecurityTokenHandler abstract : ICustomIdentityConfiguration

The SecurityTokenHandler type exposes the following members.

  NameDescription
Protected methodSecurityTokenHandlerCalled from constructors in derived classes to initialize the SecurityTokenHandler class.
Top

  NameDescription
Public propertyCanValidateTokenGets a value that indicates whether the handler supports validation of security tokens.
Public propertyCanWriteTokenGets a value that indicates whether the handler can serialize security tokens.
Public propertyConfigurationGets or sets the SecurityTokenHandlerConfiguration object that provides configuration for the current instance.
Public propertyContainingCollectionGets the token handler collection that contains the current instance.
Public propertyTokenTypeWhen overridden in a derived class, gets the type of the security token that is processed by this instance.
Top

  NameDescription
Public methodCanReadKeyIdentifierClauseReturns a value that indicates whether the XML element referred to by the specified XML reader is a key identifier clause that can be deserialized by this instance.
Public methodCanReadToken(String)Returns a value that indicates whether the specified string can be deserialized as a token of the type processed by this instance.
Public methodCanReadToken(XmlReader)Returns a value that indicates whether the XML element referenced by the specified XML reader can be read as a token of the type processed by this instance.
Public methodCanWriteKeyIdentifierClauseReturns a value that indicates whether the specified key identifier clause can be serialized by this instance.
Public methodCreateSecurityTokenReferenceWhen overridden in a derived class, creates the security token reference for tokens processed by that class. This method is typically called by a security token service (STS).
Public methodCreateTokenWhen overridden in a derived class, creates a security token using the specified token descriptor. This method is called by a security token service (STS).
Protected methodDetectReplayedTokenWhen overridden in a derived class, throws an exception if the specified token is detected as being replayed.
Public methodEquals(Object)Determines whether the specified object is equal to the current object. (Inherited from Object.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodGetHashCodeServes as the default hash function. (Inherited from Object.)
Public methodGetTokenTypeIdentifiersWhen overridden in a derived class, returns the set of URIs that are used in requests to identify a token of the type processed by the derived class.
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Public methodLoadCustomConfigurationWhen overridden in a derived class, loads custom configuration from XML.
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodReadKeyIdentifierClauseWhen overridden in a derived class, deserializes the XML referenced by the specified XML reader to a key identifier clause that references a token processed by the derived class.
Public methodReadToken(String)When overridden in a derived class, deserializes the specified string to a token of the type processed by the derived class.
Public methodReadToken(XmlReader)When overridden in a derived class, deserializes the XML referenced by the specified XML reader to a token of the type processed by the derived class.
Public methodReadToken(XmlReader, SecurityTokenResolver)When overridden in a derived class, deserializes the XML referenced by the specified XML reader to a token of the type processed by the derived class by using the specified token resolver.
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Protected methodTraceTokenValidationFailureTraces the failure event during the validation of security tokens when tracing is enabled.
Protected methodTraceTokenValidationSuccessTraces the successful validation of security tokens event when tracing is enabled.
Public methodValidateTokenWhen overridden in a derived class, validates the specified security token. The token must be of the type processed by the derived class.
Public methodWriteKeyIdentifierClauseWhen overridden in a derived class, serializes the specified key identifier clause to XML. The key identifier clause must be of the type supported by the derived class.
Public methodWriteToken(SecurityToken)When overridden in a derived class, serializes the specified security token to a string. The token must be of the type processed by the derived class.
Public methodWriteToken(XmlWriter, SecurityToken)When overridden in a derived class, serializes the specified security token to XML. The token must be of the type processed by the derived class.
Top

The SecurityTokenHandler class is the base class from which all security token handlers derive. A security token handler is responsible for:

  • Validating security tokens (SecurityToken) of the type it is designed to process and packaging the claims contained in the token into a ClaimsIdentity object.

  • Serializing and deserializing security tokens of the type it is designed to process.

  • Serializing and deserializing key identifier clauses (SecurityKeyIdentifierClause) that refer to tokens of the type it is designed to process to and from <wsse:SecurityTokenReference> elements.

  • Creating security tokens from a SecurityTokenDescriptor object passed by implementations of the SecurityTokenService class.

  • Creating key identifier clauses from a security token for implementations of the SecurityTokenService class.

Windows Identity Foundation (WIF) ships the following security token handlers out of the box:

Most of these classes expose additional members that implement functionality that is specific to the processing of the tokens for which the class is designed. In many cases it may be better to derive from one of these classes rather than directly from the SecurityTokenHandler class.

A security token handler can be added or removed from a token handler collection by specifying the <add> [securityTokenHandlers], <remove> [securityTokenHandlers], or <clear> [securityTokenHandlers] elements under the <securityTokenHandlers> element in a configuration file. The SecurityTokenHandlerConfiguration object that contains the configuration settings for the handler collection can be accessed through the Configuration property and the handler collection that the token handler is a member of can be accessed from the ContainingCollection property. You can override the LoadCustomConfiguration method to process any custom configuration elements that your handler takes.

The SecurityTokenHandler class exposes several other properties and methods. Depending on the functionality that you choose to implement, you may override some or all of these members.

You must override the TokenType property and the GetTokenTypeIdentifiers method to provide the WIF infrastructure with information about the type of security token that your class is designed to process.

Validation, serialization, and deserialization functionality is exposed through properties or methods that indicate whether the handler can perform a specific function combined with the method or methods that implement the functionality. The following list pairs the properties or methods that indicate functionality with the methods that implement that functionality:

The CreateToken and the CreateSecurityTokenReference methods are called from the pipeline in implementations of the SecurityTokenService class.

The DetectReplayedToken method is called by the WIF infrastructure to determine whether the specified token has already been received. By default this method returns false, which indicates that the token has not already been received. You can override the method and provide logic to detect replayed tokens.

The code examples in all of the SecurityTokenHandler topics are taken from the Custom Token sample. This sample provides custom classes that enable processing of Simple Web Tokens (SWT). For information about this sample and other samples available for WIF and where to download them, see WIF Code Sample Index. The following XML shows how to add the SWT token handler to the token handlers collection.

  <system.identityModel>
    <identityConfiguration saveBootstrapContext="true">
      <issuerTokenResolver type="SimpleWebToken.CustomIssuerTokenResolver, SimpleWebToken">
        <AddAudienceKeyPair  symmetricKey="wAVkldQiFypTQ+kdNdGWCYCHRcee8XmXxOvgmak8vSY=" audience="http://localhost:19851/" />
      </issuerTokenResolver>
      <issuerNameRegistry type="RelyingParty.TrustedIssuerNameRegistry, RelyingParty"/>
      <audienceUris>
        <add value="http://localhost:19851/"/>
      </audienceUris>
      <securityTokenHandlers>
        <add type="SimpleWebToken.SimpleWebTokenHandler, SimpleWebToken" />
      </securityTokenHandlers>
    </identityConfiguration>
  </system.identityModel>

.NET Framework

Supported in: 4.6, 4.5

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft