When transferring security tokens to a WCF service, in which scenario should I use the following similar-sounding methods?
The documentation does not shed much light on the intended use. :-(
CreateChannelWithIssuedToken uses the current process token. CreateChannelWithOnBehalfOfToken uses an external entity (not the current process). A service would use this to make a call "on behalf" of whomever called the service.CreateChannelWithActAsToken uses both the current process and the external entity.From Window Identity Foundation FAQ
From the WS-Trust procotol standpoint:
An ActAs RST element indicates that the requestor wants a token that contains claims about two distinct entities: the requestor, and an external entity represented by the token in the ActAs element.
An OnBehalfOf RST element indicates that the requestor wants a token that contains claims only about one entity: the external entity represented by the token in the OnBehalfOf element.
The ActAs feature is typically used in scenarios that require composite delegation, where the final recipient of the issued token can inspect the entire delegation chain and see not just the client, but all intermediaries.