Custom SecurityTokenHandler for WIF

I am trying to implement a custom SecurityToken and SecurityTokenHandler for a STS using Microsoft.IndentityModel (= Windows Indentity Foundation).

The token is serialized to a simple xml document with signature (using a X509 certificate) and is sometimes (not always) encrypted (depends on the target realm).

Till now it worked quite well, but i got stuck on SecurityTokenHandler.CreateSecurityTokenReference(SecurityToken token, bool attached) which should return a SecurityKeyIndetifierClause.

My question is: What is a SecurityKey, SecurityKeyIndentifier and SecurityKeyIndentifierClause in general and for my sceanrio (rsa signed (and encrypted) xml token) in specific?

There is almost no documentation in MSDN and I couldn't find anything else helpful on this topic.

Thanks in advance.

P.S.: I know the easiest and recommended way is to use a build in token format like sa开发者_JS百科ml, but the token is evaluated by a legacy system which expects a specific format i have no influence on.

In the meantime I found answers to the questions my self:

SecurityKey

A SecurityKey is used for cryptographic operations. This is not needed by bearer token implementations. Therefore you can just return an empty list in the corresponding property of the SecurityToken:

public override ReadOnlyCollection<SecurityKey> SecurityKeys
{
    get { return new List<SecurityKey>().AsReadOnly(); }
}

SecurityKeyIdentifierClause

As already pointed out by the other answer a SecurityKeyIdentifierClause is kind of the unique identifier of a security token. It is used by a SecurityTokenResolver to return the corresponding SecurityToken for a specified SecurityKeyIdentifierClause.

Probably the best solution for your own SecurityTokenHandler implementation is to return a LocalIdKeyIdentifierClause with the id of your token as localId parameter:

public override SecurityKeyIdentifierClause CreateSecurityTokenReference(SecurityToken token, bool attached)
{
    if (token == null)
        throw new ArgumentNullException("token");

    return new LocalIdKeyIdentifierClause(token.Id);
}

SecurityKeyIdentifier

A SecurityKeyIdentifier is a collection of SecurityKeyIdentifierClauses. When ever needed you can use the implementation in System.IdentityModel.Tokens here. There is usually no need to take care of this by your self.

The key identifiers are used with custom tokens to do a couple things. They describe the token, and/or point to other related tokens (because tokens can just be pointers - perhaps for performance reasons et al). if you do not need key identifier, you can do two things:

• Return false from CanWriteKeyIdentifierClause:

  public override bool CanWriteKeyIdentifierClause(SecurityKeyIdentifierClause securityKeyIdentifierClause) { return false; }

• Return a default (or null) value from CreateSecurityTokenReference:

  public override SecurityKeyIdentifierClause CreateSecurityTokenReference(SecurityToken token, bool attached) { return default(SecurityKeyIdentifierClause); }