Hi Stefan, anonymous wrote : IIRC, the spec doesn't say that 'ONLY ONE' of them should be specified, so I think we can safely have both the token type and AppliesTo in the request. :) You are right. The spec says: anonymous wrote : | TokenType | If this optional element is not specified in an issue request, it is RECOMMENDED that the optional element <wsp:AppliesTo> be used to indicate the target where this token will be used. That is, either the <wst:TokenType> or the <wsp:AppliesTo> element SHOULD be defined within a request. If both the <wst:TokenType> and <wsp:AppliesTo> elements are defined, the <wsp:AppliesTo> element takes precedence (for the current request only) in case the target scope requires a specific type of token. | I understand this as to mean that a RequestSecurityToken can be valid without a TokenType or an AppliesTo specified. I'm not sure how that would work and how the lookup of the service provider and token provider could be done with one or the other. Perhaps 'SHOULD' in this case is more strict then I'm interpreting it? anonymous wrote : Regarding adding a new method, I don't have anything against it. As a matter of fact, this can be a good thing. Although the very same check is performed in the STS, a client-side validation can prevent us from spending time to create, marshall, and dispatch a request that will fail anyway. I agree. I'll add this. Thanks, /Daniel View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4257460#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...