A security token resolver is used to translate between a security key identifier and an actual security token. Typically, security key identifiers are sent on the wire because the tokens are known out of band.

To configure the token resolvers on a token handler, you must know what certificates will be used to sign the tokens or messages that the service expects to receive. Each token handler has two token resolvers:

  1. A Service Token Resolver, which stores a list of certificates that are known to the service, with regard to its own identity. These certificates are used to resolve the encryption token on incoming messages and tokens.

  2. An Issuer Token Resolver, which stores a list of certificates that are known to the service, with regard to issuers that the service trusts. These certificates are used to resolve the signing token on incoming security tokens and messages.

Token resolvers can’t be configured declaratively. The following code shows how to create and configure token resolvers programmatically.

  Copy Code
SecurityTokenHandlerCollection collection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
	
// Create the service token resolver from the service certificate.
List<SecurityToken> serviceTokens = new List<SecurityToken>();
// This service certificate is considered to have been defined elsewhere
serviceTokens.Add(new X509SecurityToken(serviceCertificate));
SecurityTokenResolver serviceResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false);
collection.Configuration.ServiceTokenResolver = serviceResolver;

// Create an issuer token resolver that consults the trusted people store.
X509CertificateStoreTokenResolver certificateStoreIssuerResolver = new X509CertificateStoreTokenResolver(StoreName.TrustedPeople, StoreLocation.LocalMachine);
collection.Configuration.IssuerTokenResolver = certificateStoreIssuerResolver;