Supporting Tokens

  • Article

Web Services Message Security has the concept of Primary and Supporting Tokens. The Primary token is the main token that provides security to the message. This signs the message body and other headers as required and serves as the main identity token for the sending party. There is also a concept of Supporting Tokens. As the name suggests this provides more information about the client. An example of a supporting token can be a Username/Password Token. WCF does not derive tokens from Username/Password and hence this cannot be used as the primary token. In this case the binding between the client and service can be secured with a Mutual Certificate or Kerberos, as the case be, and then you can add the Username/Password token as a Supporting token. Bearer Tokens are another place where you will use a Supporting token.

There are various methods to add the supporting tokens.

  • Signed Supporting Tokens
  • Signed & Encrypted Supporting Tokens

In the first case the Supporting token is just signed with the primary token. In the second case the supporting token is signed and encrypted by the primary token.

There is a class of Supporting tokens called Endorsing Tokens. These are just like supporting tokens except that these tokens have keys associated with them and will sign the primary signature and add another signature element to the message called the secondary signature. As you would imagine the secondary signature contains only one reference and it is the signature over the primary signature. I have seen in Interop with other stacks that some do tend to use secondary signature to add more security to the message by signing other parts of the message, re-signing the Body and signing the endorsing token itself. These over secure measures are unnecessary. There is a valid claim that some one can spoof the message and remove the endorsing token and put a different token and re-sign the primary signature. To avoid this you can sign the endorsing token as part of the primary signature. This is called Signed Endorsing Supporting Tokens. You can go a step ahead to encrypt the endorsing token too to create a Signed Encrypted Endorsing Supporting token.