Security Token Service


Security Token Service or STS is a Token Service Provider which is responsible for issuing security tokens, as part of a claims-based identity system.[1]

In OAuth 2.0 and SAML this may typically be thought of as a function within the Identity Provider (IDP)

A Security Token Service (STS) is a service capable of validating and issuing security tokens, which enables clients to obtain appropriate access credentials for resources in heterogeneous environments or across security Domains.

Web Service clients have used WS-Trust WS-Trust as the protocol to interact with an STS for token exchange, however WS-Trust is a fairly heavyweight protocol, which uses XML, SOAP, etc.

Whereas, the trend in modern Web development has been towards lightweight services utilizing RESTful patterns and JSON. The OAuth 2.0 Authorization Framework RFC 6749 and OAuth 2.0 Bearer Tokens RFC 6750 have emerged as popular standards for authorizing and securing access to HTTP and RESTful resources but do not provide everything necessary to facilitate token exchange interactions. OAuth 2.0 Token Exchange defines a lightweight protocol extending OAuth 2.0 that enables clients to request and obtain security tokens from authorization servers acting in the role of an STS.

More Information#

There might be more information for this subject on one of the following: