The IssuedIdentityTokenis used to pass SecurityTokens issued by an external Authorization Serviceto the Server. These tokens may be text or binary.

OAuth2 defines a standard for Authorization Servicesthat produce JSON Web Tokens (JWT). These JWTs are passed as an Issued Tokento an OPC UA Serverwhich uses the signature contained in the JWT to validate the token. OPC 10000-6describes OAuth2 and JWTs in more detail. If the token is encrypted, it shall use the EncryptedSecretformat defined in 7.41.2.3.

This token shall be encrypted by the Clientif required by the SecurityPolicyof the UserTokenPolicy. The Servershould specify a SecurityPolicyfor the UserTokenPolicyif the SecureChannelhas a SecurityPolicyof None and no transport layer encryption is available. The SecurityPolicyof the SecureChannelis used If no SecurityPolicyis specified in the UserTokenPolicy.

If the SecurityPolicyis not None, the tokenDatashall be encoded in UTF-8 (if it is not already binary), signed and encryptedaccording the rules specified for the tokenTypeof the associated UserTokenPolicy(see 7.42).

If the SecurityPolicyis Nonethen the tokenDataonly contains the UTF-8 encoded tokenData. This configuration should not be used unless the network is encrypted in some other manner such as a VPN. The use of this configuration without network encryption would result in a serious security fault, in that it would cause the appearance of a secure user access, but it would make the token visible in clear text.

Table 195defines the IssuedIdentityTokenparameter.

Table 195– IssuedIdentityToken

Name

Type

Description

IssuedIdentityToken

structure

The token provided by an Authorization Service.

policyId

String

An identifier for the UserTokenPolicythat the token conforms to.

The UserTokenPolicystructure is defined in 7.42.

tokenData

ByteString

The text or binary representation of the token.

The format of the data depends on the associated UserTokenPolicy.

encryptionAlgorithm

String

The URI of the AsymmetricEncryptionAlgorithm.

The list of OPC UA-defined names that may be used is specified in OPC 10000-7.

See Table 193for details on picking the correct URI.

This parameter is null or empty if the tokenDatais not encrypted or if the EncryptedSecretformat is used.