OPC UA Applicationssupport Authenticationof users by providing the necessary Authenticationcredentials to the other entities. As described in the ActivateSession service in OPC 10000-4, the OPC UA Clientaccepts a UserIdentityToken from the user and passes it to the OPC UA Server. The OPC UA Serverauthenticates the user token. OPC UA Applicationsaccept tokens in any of the following forms: username/password, X.509 v3 Certificate(see [X509]), or JSON Web Token (JWT).

As specified in the CreateSession and ActivateSession Servicesin OPC 10000-4, if the UserIdentityToken is a Certificatethen this token is validated with a challenge-response process. The Serverprovides a Nonceand signing algorithm as the challenge in its CreateSession response. The Clientresponds to the challenge by signing the Server’s Nonceand providing it as an argument in its subsequent ActivateSession call.