Authorization Services(AS) provide access to identity providers which can validate the credentials provided by Clients. They then provide tokens which can be passed to a Serverinstead of the credentials. These tokens are passed as an IssuedIdentityTokendefined in 7.41.6.

The protocol to request tokens depends on the Authorization Service(AS). Common protocols include OAuth2 and OPC UA. OAuth2 supports claims based authorization as described in OPC 10000-2.

Serverspublish the Authorization Services(AS) they support in the UserTokenPolicieslist return with GetEndpoints. The IssuedTokenTypefield specifies the protocol used to communicate with the AS. The IssuerEndpointUrlfield contains the information needed by the Clientto connect to the AS using the protocol required by the AS.

The basic handshake is shown in Figure 24.

image027.png

Figure 24– Indirect handshake with an Identity Provider