Hi Daniel, anonymous wrote : | I understand this as to mean that a RequestSecurityToken can be valid without a TokenType or an AppliesTo specified. | I'm not sure how that would work and how the lookup of the service provider and token provider could be done with one or the other. Perhaps 'SHOULD' in this case is more strict then I'm interpreting it? | No, I think you are interpreting it correctly, otherwise they would have used the word 'MUST'. I interpret the 'SHOULD' as something highly advisable and as such I believe we can require one of the types to be specified in WS-T requests simply because we don't have any other way to find out what token provider should be used to handle the request. We could use a default provider (specified in the WS-T configuration file) but I don't think this is a good idea because a default provider could cover a potential client-side error. In other words, the client app could be expecting an exception to be thrown if the user forgets to specify the token type or target endpoint but instead gets a 'default' token from the STS. It is good that you've copied that section of the spec here because it reminded me that AppliesTo has precedence over TokenType and right now the STS doesn't follow this rule. I'll open a Jira and fix this. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4257511#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...