Security Token Services (STS): A Beginner's Guide to Identity Tokens, How They Work, and Best Practices

In the realm of modern authentication and authorization, Security Token Services (STS) play a crucial role in issuing, validating, and exchanging security tokens that represent identity and access rights. This beginner’s guide is designed for developers, system administrators, and students seeking a practical understanding of token formats (like SAML and JWT), essential protocols (such as OAuth2 and OpenID Connect), common STS platforms (including Azure AD and AD FS), and security best practices.

Core Concepts and Vocabulary

Security tokens are signed packages that contain identity and authorization data known as claims. Applications or APIs, referred to as relying parties, accept these tokens as proof that a user or client is authenticated and authorized.

Key Terms

• Security token/assertion: Signed data carrying claims about a subject (user or client).
• Identity (ID) token: Confirms the identity of the user (“who you are”).
• Access token: Grants access to a resource (“what you can do”).
• Claims: Key-value data inside tokens (e.g., sub, email, roles).
• iss (issuer): Who issued the token.
• aud (audience): Intended recipient(s) of the token.
• sub (subject): The identity subject (user id).
• exp/nbf: Expiration and not-before times.

Token Formats

• SAML (Security Assertion Markup Language): XML-based assertions commonly used in enterprise SSO.
• JWT (JSON Web Token): Compact JSON-based tokens heavily utilized in OAuth2/OIDC.

How a Security Token Service (STS) Works — Simple Flow

A high-level flow for web Single Sign-On (SSO) using the authorization code flow with OIDC is as follows:

1. User requests a resource at the Service Provider (SP).
2. SP redirects the user to the STS (IdP) authorization endpoint.
3. User authenticates at STS (password, MFA, biometrics).
4. STS issues an ID token and access token, redirecting the user’s browser back to the SP with a code.
5. SP exchanges the code for tokens at the STS token endpoint.
6. SP validates the tokens and grants access.

Token Issuance Steps

• Authentication: STS confirms user identity.
• Claims Gathering: STS collects claims (attributes) from directories or other sources.
• Token Creation: STS packages claims into a token and signs it.
• Token Delivery: Tokens are returned via redirect, JSON response, or SOAP depending on the protocol.

Protocols and Standards You Should Know

• SAML 2.0: XML-based and often used for enterprise SSO.
• WS-Trust / WS-Federation: Older Microsoft-centric protocols used with AD FS for token issuance/exchange.
• OAuth 2.0 (RFC 6749): Authorization framework defining flows and token semantics.
• OpenID Connect (OIDC): Identity layer on top of OAuth2 that defines ID tokens and discovery endpoints.
• JWT/JWS/JWK: Token format, signing, and public key discovery.

Common STS Implementations and Platforms

• Azure Active Directory (Azure AD)

  • Purpose: Cloud identity for Microsoft 365, apps, and APIs. Uses OAuth2/OIDC/SAML based on the scenario.
  • Getting Started: Use the Azure portal to register an app and utilize OIDC/OAuth flows.

• Active Directory Federation Services (AD FS)

  • Purpose: On-premises federation for Windows domains with SAML, WS-Fed, WS-Trust support.
  • Overview: AD FS Overview.

• Keycloak (Open Source)

  • Purpose: Open-source identity provider supporting OIDC and SAML.
  • Quickstarts: Keycloak offers official quickstarts ideal for hands-on labs.

• IDaaS Providers (Auth0, Okta)

  • Purpose: Hosted identity services providing STS functionality with SDKs and admin consoles.

Integration Patterns and Practical Examples

Web App SSO Using OIDC (Authorization Code Flow)

1. The browser redirects to /authorize with client_id and redirect_uri.
2. STS authenticates the user and returns an authorization code.
3. The app exchanges the code at /token for ID and access tokens.

Validating JWTs at an API (Node.js Example)

• Check the signature using the STS’s JWKS endpoint.
• Verify standard claims: iss, aud, exp, nbf.
• Verify application-specific claims (roles, scope).

Example Code:

// npm install jsonwebtoken jwks-rsa
const jwt = require('jsonwebtoken');
const jwksClient = require('jwks-rsa');

const client = jwksClient({ jwksUri: 'https://example.com/.well-known/jwks.json' });
function getKey(header, callback) {
  client.getSigningKey(header.kid, (err, key) => {
    const signingKey = key.getPublicKey();
    callback(null, signingKey);
  });
}

const token = process.env.ACCESS_TOKEN;
jwt.verify(token, getKey, { audience: 'api://default', issuer: 'https://example.com/' }, (err, decoded) => {
  if(err) return console.error('Token invalid', err);
  console.log('Token valid, claims:', decoded);
});

Security Considerations and Best Practices

• Short-Lived Tokens: Use short TTLs for access tokens.
• Protect Refresh Tokens: Store securely and rotate refresh tokens periodically.
• Use Asymmetric Signing (RS256): Publish JWKS for verification.
• Monitor Events: Log authentication actions and token issuance/failures.

Troubleshooting Common STS Issues (Quick Checklist)

• Signature Validation Errors: Verify JWKS and ensure the algorithm matches.
• Expired Tokens: Implement allowance for small clock skew.
• CORS Issues for SPAs: Ensure proper headers allow required origins.

Conclusion

A Security Token Service (STS) is pivotal for secure identity and access management. By understanding the ins and outs of token formats, protocols, and common platforms such as Azure AD, AD FS, and Keycloak, you can seamlessly integrate authentication within your applications. For practical experience, consider the suggestions given in the guide to implement STS in your projects.