...
When issuing tokens, they will be encrypted from the public key of the trusted relying party. Accordingly, even the client who obtains the token to send to the RP has no visibility to the included token.
5. Now, let's apply security to the STS. You must provideĀ UsernameToken-based security, which means that the client should have a valid user account with the Identity Server to obtain a token from the STS.
...