When a digital identity is transferred across a network, it's only a collection of bytes. It's common to refer to a set of bytes containing identity information as a security token or just a token. In a claims-based world, a token contains one or more claims, each of which carries some piece of information about the user it identifies.
Today, the tokens come in different flavors, including the following token formats:
- Security Assertion Markup Language (SAML):
- XML-based
- Very descriptive metadata
- JSON Web Token (JWT):
- Easily readable by humans
- Smaller token size
- Simple Web Token (SWT):
- Form-encoded attribute/value pairs
- Not very common
- Kerberos
For the following protocol specifications, we recommend a good basic knowledge of claims-based authentication. You can download the Microsoft claims...