UserNameSecurityTokenAuthenticator Class

Authenticates a UserNameSecurityToken security token.

Namespace:  System.IdentityModel.Selectors
Assembly:  System.IdentityModel (in System.IdentityModel.dll)

public abstract class UserNameSecurityTokenAuthenticator : SecurityTokenAuthenticator

The UserNameSecurityTokenAuthenticator type exposes the following members.

Protected methodUserNameSecurityTokenAuthenticatorInitializes a new instance of the UserNameSecurityTokenAuthenticator class.

Public methodCanValidateTokenGets a value indicating whether the specified security token can be validated by this security token authenticator. (Inherited from SecurityTokenAuthenticator.)
Protected methodCanValidateTokenCoreGets a value indicating whether the specified security token can be validated by this security token authenticator. (Overrides SecurityTokenAuthenticator.CanValidateTokenCore(SecurityToken).)
Public methodEquals(Object)Determines whether the specified object is equal to the current object. (Inherited from Object.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodGetHashCodeServes as the default hash function. (Inherited from Object.)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Public methodValidateTokenAuthenticates the specified security token and returns the set of authorization policies for the security token. (Inherited from SecurityTokenAuthenticator.)
Protected methodValidateTokenCoreAuthenticates the specified security token and returns the set of authorization policies for the security token. (Overrides SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken).)
Protected methodValidateUserNamePasswordCoreWhen overridden in a derived class, authenticates the specified user name and password and returns the set of authorization policies for UserNameSecurityToken security tokens.

Override the UserNameSecurityTokenAuthenticator class to authenticate security tokens based on a user name and password.

The Windows Communication Foundation (WCF) ships with the following classes that provide support for authenticating UserNameSecurityToken security tokens.




Allows an application to provide a custom authentication scheme for user names and passwords. The authentication scheme is provided using a class deriving from the UserNamePasswordValidator class.


Authenticates the user name and password as a Windows account.

Most custom authentication schemes can use the use the CustomUserNameSecurityTokenAuthenticator class and implement a class that derives from the UserNamePasswordValidator class. However, if additional flexibility is needed, you can derive a class from the UserNameSecurityTokenAuthenticator class and override the ValidateUserNamePasswordCore method.

using System;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Text;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Security.Principal;
using System.ServiceModel.Security;
using System.Text.RegularExpressions;

namespace Microsoft.ServiceModel.Samples
    class MyTokenAuthenticator : UserNameSecurityTokenAuthenticator
        static bool IsRogueDomain(string domain)
            return false;
        static bool IsEmail(string inputEmail)

            string strRegex = @"^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}" +
                  @"\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\" +
            Regex re = new Regex(strRegex);
            if (re.IsMatch(inputEmail))
                return (true);
                return (false);

        bool ValidateUserNameFormat(string UserName)
            if (!IsEmail(UserName))
                Console.WriteLine("Not a valid email");
                return false;
            string[] emailAddress = UserName.Split('@');
            string user = emailAddress[0];
            string domain = emailAddress[1];
            if (IsRogueDomain(domain))
                return false;
            return true;   
        protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password)
            if (!ValidateUserNameFormat(userName))
                throw new SecurityTokenValidationException("Incorrect UserName format");

            ClaimSet claimSet = new DefaultClaimSet(ClaimSet.System, new Claim(ClaimTypes.Name, userName, Rights.PossessProperty));
            List<IIdentity> identities = new List<IIdentity>(1);
            identities.Add(new GenericIdentity(userName));
            List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1);
            policies.Add(new UnconditionalPolicy(ClaimSet.System, claimSet, DateTime.MaxValue.ToUniversalTime(), identities));
            return policies.AsReadOnly();

    class UnconditionalPolicy : IAuthorizationPolicy
        String id = Guid.NewGuid().ToString();
        ClaimSet issuer;
        ClaimSet issuance;
        DateTime expirationTime;
        IList<IIdentity> identities;

        public UnconditionalPolicy(ClaimSet issuer, ClaimSet issuance, DateTime expirationTime, IList<IIdentity> identities)
            if (issuer == null)
                throw new ArgumentNullException("issuer");
            if (issuance == null)
                throw new ArgumentNullException("issuance");

            this.issuer = issuer;
            this.issuance = issuance;
            this.identities = identities;
            this.expirationTime = expirationTime;

        public string Id
            get { return; }

        public ClaimSet Issuer
            get { return this.issuer; }

        public DateTime ExpirationTime
            get { return this.expirationTime; }

        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
            evaluationContext.AddClaimSet(this, this.issuance);

            if (this.identities != null)
                object value;
                IList<IIdentity> contextIdentities;
                if (!evaluationContext.Properties.TryGetValue("Identities", out value))
                    contextIdentities = new List<IIdentity>(this.identities.Count);
                    evaluationContext.Properties.Add("Identities", contextIdentities);
                    contextIdentities = value as IList<IIdentity>;
                foreach (IIdentity identity in this.identities)

            return true;

.NET Framework

Supported in: 4.6, 4.5, 4, 3.5, 3.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft