Partager via


2.2.2 RST and RSTR Messages

[WSTrust] and [WSTrust1.3] specify a framework for requesting and returning security tokens using RST and RSTR messages. RST messages provide the means for requesting a security token from an STS or directly from the server. They have an extensible format that allows the client to specify a range of parameters that the token must satisfy. RSTR messages return the requested token and supporting state. Both messages use the <Security> element specified in section 2.2.1 to secure the exchange.

Only single-leg trust exchanges are used. That is, the client requests a token and the server returns it without any intermediate trust message exchanges.

RST message body MUST contain exactly one <RequestSecurityToken> element as specified in [WSTrust] sections 5.1 "Requesting a Security Token" and 5.3 "Binary Secrets", and [WSTrust1.3] sections 3.1 and 3.3.

RSTR message body MUST contain exactly one <RequestSecurityTokenResponse> element as specified in [WSTrust] sections 5.2 "Returning a Security Token" and 5.3 "Binary Secrets", and [WSTrust1.3] sections 3.2 and 3.3.

When using [WSTrust1.3], the <RequestSecurityTokenResponse> element MUST be contained in a <RequestSecurityTokenResponseCollection> element as specified in [WSTrust1.3] section 4.3. The <RequestSecurityTokenResponseCollection> element MUST NOT contain more than one <RequestSecurityTokenResponse> element.

This document overrides the following specifications:

  • The value of the BinarySecret/@type attribute specified in [WSTrust] section 5.3 MUST be set to one of the following values:

    • http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

    • http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

  • The value of the BinarySecret/@type attribute specified in [WSTrust1.3] section 3.3 MUST be set to one of the following values:

    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce

    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

  • [WSTrust1.3] section 3.1: "The <wst:RequestSecurityToken> element (RST) is used to request a security token  (for any purpose). This element SHOULD be signed by the requestor, using tokens contained/referenced in the request that are relevant to the request."

    The <RequestSecurityToken> element MUST NOT be signed.

  • [WSTrust] section 11.2 and [WSTrust1.3] section 9.2: The optional <KeyType> element of an issuance binding RST message, and the corresponding <KeyType> element of an issuance binding RSTR message, MUST be either unspecified or specified as one of the following:

    • http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

    • http://docs.oasis-open.org/wssx/wstrust/200512/Bearer

    • http://docs.oasis-open.org/ws-sx/wstrust/200512/Bearer

    • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer