SecurityTokenHandler Class

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

Defines the interface for a Custom Security Token Handler.

Namespace: Microsoft.IdentityModel.Tokens
Assembly: Microsoft.IdentityModel (in Microsoft.IdentityModel.dll)


Dim instance As SecurityTokenHandler


Public MustInherit Class SecurityTokenHandler
public abstract class SecurityTokenHandler
public ref class SecurityTokenHandler abstract
public abstract class SecurityTokenHandler
public abstract class SecurityTokenHandler


using (ServiceHost host = new ServiceHost(typeof(ClaimsAwareWebService), new Uri("https://localhost:6020/ClaimsAwareWebService")))
     // Update the service credentials so that it can deserialize 
     // the custom token 
      ExtensibleServiceCredentials creds = new ExtensibleServiceCredentials();

CustomTokenHandler handler = new CustomTokenHandler();

// Add the custom token handler
      creds.TokenHandlers.Add( handler );



      Console.WriteLine(“Service is ready, press ENTER to close ...”);


// Class that implements a custom security token handler

// This class derives from the SecurityTokenHandler class so that 
// the STS can issue a custom token.

    class CustomTokenHandler : SecurityTokenHandler
        public const string TokenName = "MyDecisionToken";
        public const string Decision = "Decision";
        public const string TokenNamespace = "https://localhost/TokenNamespace";
        public const string Id = "Id";
        public const string Key = "Key";
        public const string DecisionClaimType = "https://localhost/DecisionClaimType";

// Define any necessary configurations 

        public CustomTokenHandler()
            : base()

// Implement the methods needed to handle validate/create of custom tokens

        /// <summary>
        /// This gets called by the STS to issue a token
        /// </summary>
        /// <param name="tokenDescriptor">The token descriptor.</param>
        /// <returns>The security token.</returns>
        public override SecurityToken CreateToken( SecurityTokenDescriptor tokenDescriptor )
// Determine the claims that need to go in the token

// Create an instance of custom security token
// Custom security tokens are created by implementing a 
// class that derives from the SecurityToken class exposed 
// by WIF

SecurityToken token = MySecurityToken(…);
return token;
        /// <summary>
        /// Gets the System.Type of the SecurityToken this instance handles.
        /// </summary>
        public override Type TokenType
                return typeof(MySecurityToken);

        /// <summary>
        /// Gets the URI used in requests to identify a token of the type handled
        /// by this instance. 
        /// </summary>
        /// <remarks>
        /// For example, this should be the URI value used 
        /// in the RequestSecurityToken's TokenType element to request this
        /// sort of token.
        /// </remarks>
        public override string TokenTypeIdentifier
                return “Custom Token Type”;

        /// <summary>
        /// This gets called on the STS to serialize the token 
        /// </summary>
        /// <param name="writer"></param>
        /// <param name="token"></param>
        /// <param name="serializer"></param>
        /// <exception cref="ArgumentException">When the token is null.</exception>
        public override void WriteToken( XmlWriter writer, SecurityToken token, SecurityTokenSerializer serializer )
            MySecurityToken decisionToken = token as MySecurityToken;

// Check for valid instance creation for decisionToken

// Create a signature writer to serialize the token
            EnvelopedSignatureWriter envWriter = new EnvelopedSignatureWriter( writer, decisionToken.SigningCredentials, decisionToken.Id, serializer ); 

            // Start the tokenName
            envWriter.WriteStartElement( TokenName, TokenNamespace );
            envWriter.WriteAttributeString( Id, token.Id );
            // Write the decision element
            envWriter.WriteElementString( Decision, TokenNamespace, Convert.ToString( decisionToken.Decision ) );

            // Write the key
            envWriter.WriteElementString( Key, TokenNamespace, Convert.ToBase64String( ( (MySecurityToken)token ).RetrieveKeyBytes() ) );
            // Close the TokenName element

        /// <summary>
        /// Indicates whether this handler supports validation of tokens 
        /// handled by this instance.
        /// </summary>
        /// <returns>true if the class is capable of SecurityToken
        /// validation.</returns>
        public override bool CanValidateToken
            get { return true; }

        /// <summary>
        /// Validates a token and returns its claims.
        /// </summary>
        /// <param name="token">The security token.</param>
        /// <returns>The collection of claims contained in the token.</returns>
        public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
                // Generate the decision claim based on the decision
                ClaimsIdentityCollection identities = new ClaimsIdentityCollection();

// Add necessary claims that need to be added in the 
// token

                return identities;


SecurityTokenHandler defines an interface for plugging custom token handling functionality. Using the SecurityTokenHandler you can add functionality to serialize, de-serialize, authenticate and create the token. The framework maintains a single copy of the SecurityTokenHandler for each token type. So custom token handlers should not have any state information associated with the handler.

Custom token handler can be registered in application configuration inside the <tokenHandlers> element or by adding it to the ExtensibleServiceCredentials.TokenHandlers collection programmatically.

Inheritance Hierarchy

     Derived Classes

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.


Target Platforms

Windows 7, Windows Server 2008 R2, Windows Vista SP2, Windows Server 2008 SP2, Windows Server 2003 SP2 (32-bit or 64-bit)

Change History

See Also


SecurityTokenHandler Members
Microsoft.IdentityModel.Tokens Namespace

Copyright © 2008 by Microsoft Corporation. All rights reserved.