4.1 Security Token Issued by STS

In this example,  a client attempts to access a resource on the server. The server responds with an HTTP 401 challenge that lists the security token issuers it trusts in the trusted_issuers field. An example of such a challenge is as follows.

 HTTP/1.1 401 Unauthorized
 Server: Fabrikam/7.5
 request-id: 443ce338-377a-4c16-b6bc-c169a75f7b00
 X-FEServer: DUXYI01CA101
 WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0001-0000-c000-000000000000@*"
 WWW-Authenticate: Basic Realm=""
 X-Powered-By: ASP.NET
 Date: Thu, 19 Apr 2012 17:04:16 GMT
 Content-Length: 0
  1. The client sends its credentials to the indicated token issuer, which is an STS.

  2. The STS authenticates the client and issues an actor token to the client.

  3. The client uses the actor token to access the resource it requested on the server.

The following is an example of an actor token issued by an STS. For more information about the claim values contained in this security token, see section 2.2.

 actor:
 {
     "typ":"JWT",
     "alg":"RS256",
     "x5t":"XqrnFEfsS55_vMBpHvF0pTnqeaM"
 }.{
     "aud":"00000003-0000-0ff1-ce00-000000000000/contoso.com@b84c5afe-7ced-4ce8-aa0b-df0e2869d3c8",
     "iss":"00000001-0000-0000-c000-000000000000@b84c5afe-7ced-4ce8-aa0b-df0e2869d3c8",
     "nbf":"1323380070",
     "exp":"1323383670",
     "nameid":"00000002-0000-0ff1-ce00-000000000000@b84c5afe-7ced-4ce8-aa0b-df0e2869d3c8",
     "identityprovider":"00000001-0000-0000-c000-000000000000@b84c5afe-7ced-4ce8-aa0b-df0e2869d3c8"
 }
Show: