Skip to main content

Enforcing proof-of-possession

Recall that the TokenCanceller interface has a setVerifyProofOfPossession method which defines whether proof-of-possession is required or not to cancel a security token. The default value for the SCTCanceller is true.

This means that for the client to successfully cancel a SecurityContextToken it must prove to the STS that it knows the secret key associated with that SecurityContextToken. The client must do this by signing some portion of the request with the same secret key that the SCTCanceller retrieves from the security token stored in the cache.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here