What Is Token In Claims Based Identity
Hello everybody,
today I want to write few words about what is token.
If to put very simple statement, token is a set of bytes that express information about some subject ( as usually it is user ).
This information consists of one or more claims. Each claim contains information about subject.
General structure of token is like this:
And now few words about purpose. If user want to use some system, he need to get from some authority security token or set of bytes. After getting token user uses it for getting access to system.
System by itself looks at claims and at signature, and depending from claims either gives permission for some activity or not. Signature in token indicates who issued token and protects it from changes.
Token issuer in some way get's information from user about his identity, and then provides guarantee that information is correct.
STS and Identity providers
Common way of naming software which produce token is STS or security token service.
STS produce token in some format. One of the popular formats is named SAML or security assertion markup language. And organization which uses STS for providing tokens are named Identity provider or
issuer. Some samples of identity providers: facebook, google, your employer.