Skip to main content

The TokenProvider Interface

Security tokens are created in the Security Token Service via the TokenProvider interface. It has three methods:

  • boolean canHandleToken(String tokenType) - Whether this TokenProvider implementation can provide a token of the given type
  • boolean canHandleToken(String tokenType, String realm) - Whether this TokenProvider implementation can provide a token of the given type, in the given realm
  • TokenProviderResponse createToken(TokenProviderParameters tokenParameters) - Create a token using the given parameters

A client can request a security token from the STS by either invoking the issue operation and supplying a desired token type, or else calling the "validate" operation and passing a (different) token type (token transformation). Assuming that the client request is authenticated and well-formed, the STS will iterate through a list of TokenProvider implementations to see if they can "handle" the received token type. If they can, then the implementation is used to create a security token, which is returned to the client. The second "canHandleToken" method which also takes a "realm" parameter.

So to support the issuing of a particular token type in an STS deployment, it is necessary to specify a TokenProvider implementation that can handle that token type. The STS currently ships with two TokenProvider implementations, one for generating SecurityContextTokens, and one for generating SAML Assertions. Before we look at these two implementations, let's take a look at the "createToken" operation in more detail. This method takes a TokenProviderParameters instance.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!