Home

WSTrust

WSTrust, short for Web Services Trust Language, is a specification defined by OASIS as part of the WS-Trust framework. It describes a SOAP-based protocol for requesting, issuing, renewing, and validating security tokens between a client and a Security Token Service (STS). Tokens issued under WS-Trust are used to prove a subject’s identity or rights when accessing protected web services in distributed environments.

The protocol centers on two message types: RequestSecurityToken (RST) messages sent by the client to the STS

WS-Trust is designed to work with WS-Security, WS-Addressing, and WS-Policy, and relies on a Security Token Service

History and status: WS-Trust emerged in the mid-2000s as part of the WS-* family, with several versions

and
RequestSecurityTokenResponse
(RSTR)
messages
returned
by
the
STS.
Common
operations
include
issuing
a
token,
renewing
an
existing
token,
validating
a
token,
or
canceling
a
token.
The
tokens
themselves
are
often
SAML
assertions,
but
WS-Trust
supports
other
formats
as
well.
The
RST
specifies
parameters
such
as
token
type,
request
type
(Issue,
Renew,
Validate),
key
material,
and
the
intended
audience.
to
issue
tokens
that
carry
claims
about
authentication
and
authorization.
These
tokens
can
be
used
to
access
protected
resources
and
are
typically
presented
to
service
endpoints
and
validated
as
part
of
access
control.
Implementations
are
common
in
enterprise
software,
including
Microsoft
Active
Directory
Federation
Services
(ADFS),
as
well
as
other
identity
and
access
management
products.
such
as
WS-Trust
2005
and
2007.
While
it
remains
in
use
in
many
on-premises
or
federated
environments,
newer
approaches
like
OAuth
2.0
and
OpenID
Connect
have
become
more
prevalent
for
internet-facing
APIs.
WS-Trust
continues
to
be
relevant
in
certain
enterprise
and
legacy
integrations
that
rely
on
SOAP-based
token
issuance
and
federation.