Authorization Services (AS) provide access to identity providers which can validate the credentials provided by Clients. They then provide tokens which can be passed to a Server instead of the credentials. These tokens are passed as an IssuedIdentityToken defined in 7.36.6.

The protocol to request tokens depends on the Authorization Service (AS). Common protocols include Kerberos and OAuth2. OAuth2 supports claims based authorization as described in OPC 10000-2.

Servers publish the Authorization Services (AS) they support in the UserTokenPolicies list return with GetEndpoints. The IssuedTokenType field specifies the protocol used to communicate with the AS. The IssuerEndpointUrl field contains the information needed by the Client to connect to the AS using the protocol required by the AS.

The basic handshake is shown in Figure 24.


Figure 24 – Indirect Handshake with an Identity Provider