Easiest method to use a client-generated token for WCF authentication

(I tried searching, but couldn't find any truly helpful links.)

We are implementing a set of WCF services. What I would like to do in these services is have the clients (which will be trusted application servers) be able to pass a token of some sort to the web service to authenticate. I do not want to be required to pass username/password on the initial or subsequent requests (because in some cases the calling application server may not have the password). Windows and Kerberos are not usable in our specific circumstance.

I had thought to just create a simple custom UserNameSecurityTokenAuthenticator class and modify it so that if the password is empty, it takes userName as the string-encoded token value (obviously checking the token itself to verify that it's valid at that point), but if the password is not empty, forwarding on the username/password to a MembershipProvider for checking. Basically I'd like to overload the username/password authentication to provide for token passing as well.

Is this possible? Can I simply plug in a token authenticator like this, or is there some other simple way to "intercept" requests like this (and update the actual username value from the decrypted token)?

Or is there some other incredibly simple way to allow the client to pass a custom token and have the server accept it that I'm just missing?

If it's a fairly controlled environment and not too many clients involved, then I'd try to set up something along the lines of the B2B scenario securing the transport link using certificates on both ends.

Certificates are not bound to Windows or an AD domain, and setting them up is a one-time job.

Read more about that WCF security scenario:

• MSDN: Transport Security with Certificate Authentication
• Fundamentals of WCF Security: Business Partner Applications . WCF Security How-To's