UA Part 4: Services - 7.41 UserTokenPolicy

The components of this parameter are defined in Table 192.

Name	Type	Description
UserTokenPolicy	structure	Specifies a UserIdentityToken that a Server will accept.
policyId	String	An identifier for the UserTokenPolicy assigned by the Server. The identifier may be null or empty. Null or empty are equal. The identifier shall be unique across the UserTokenPolicies assigned by the Server. The Client specifies this value when it constructs a UserIdentityToken that conforms to the policy. This value is only unique within the context of a single Server.
tokenType	Enum User TokenType	The type of user identity token required. The UserTokenType is defined in 7.42 A tokenType of ANONYMOUS indicates that the Server does not require any user identification. In this case, the Client ApplicationInstanceCertificate is used as the user identification.
issuedTokenType	String	A URI for the type of token. OPC 10000-6 defines URIs for common issued token types. Vendors may specify their own token types. This field may only be specified if TokenType is ISSUEDTOKEN.
issuerEndpointUrl	String	An optional string which depends on the Authorization Service. The meaning of this value depends on the issuedTokenType. Further details for the different token types are defined in OPC 10000-6. For JWTs this is a JSON object with fields defined in OPC 10000-6.
securityPolicyUri	String	The security policy to use when encrypting or signing the UserIdentityToken when it is passed to the Server in the ActivateSession request. Clause 7.40 describes how this parameter is used. The security policy for the SecureChannel is used if this value is null or empty.

When a UserTokenPolicy is returned in an EndpointDescription all of the information needed to use that UserTokenPolicy shall be in the EndpointDescription. For example, a UserTokenPolicy requiring RSA based encryption algorithms can only be returned in EndpointDescription with an RSA ServerCertificate.

If the SecurityMode is None, SecurityPolicies based on ECC or RSA_DH are not allowed and Clients shall not use UserTokenPolicies that require encryption with these SecurityPolicies. RSA based SecurityPolicies are allowed, however, the Client shall only use a ServerCertificate which it trusts to encrypt UserIdentityTokens with tokenType USERNAME or ISSUEDTOKEN.

If the SecurityMode is not None, USERNAME and ISSUEDTOKEN UserTokenPolicies should specify the same SecurityPolicy as the EndpointDescription or should not explicitly specify a SecurityPolicy. If a SecurityPolicy is specified, it shall use the same PublicKey algorithm as the SecureChannel. An EndpointDescription shall have no more than one USERNAME UserTokenPolicy and no more than one ISSUEDTOKEN UserTokenPolicy for each unique issuerEndpointUrl.

If the tokenType is CERTIFICATE, the securityPolicyUri may be any valid SecurityPolicy. The choice of SecurityPolicy is system specific and depends on the infrastructure that issue the Certificates to users. If the system supports multiple PublicKey algorithms for user Certificates then the Server returns multiple CERTIFICATE UserTokenPolicies in the EndpointDescriptions.