JSON Web Token (JWT) UserIdentityTokenscan be passed to the Serverusing the IssuedIdentityToken. The body of the token is a string that contains the JWT as defined in RFC 8259.

Serversthat support JWT authentication shall provide a UserTokenPolicywhich specifies the Authorization Servicewhich provides the token and the parameters needed to access that service. The parameters are specified by a JSON object specified as the issuerEndpointUrl. The contents of this JSON object are described in Table 48. The general UserTokenPolicy settings for JWT are defined in Table 47.

Table 47– JWT UserTokenPolicy

Name

Description

tokenType

ISSUEDTOKEN_3

issuedTokenType

http://opcfoundation.org/UA/UserToken#JWT

issuerEndpointUrl

For JWTs this is a JSON object with fields defined in Table 48.

Table 48– JWT IssuerEndpointUrl Definition

Name

Type

Description

IssuerEndpointUrl

JSON object

Specifies the parameters for a JWT UserIdentityToken.

ua:resourceId

String

The URI identifying the Serverto the Authorization Service.

If not specified, the Server’s ApplicationUriis used.

ua:authorityUrl

String

The base URL for the Authorization Service.

This URL may be used to discover additional information about the authority.

This field is equivalent to the “issuer” defined in OpenID-Discovery.

ua:authorityProfileUri

String

The profile that defines the interactions with the authority.

If not specified, the URI is “http://opcfoundation.org/UA/Authorization#OAuth2”.

A set of possible authorities are in the Profile: http://opcfoundation.org/UA-Profile/Security/UserToken/Server/JsonWebToken

ua:tokenEndpoint

String

A path relative to the base URL used to request Access Tokens.

This field is equivalent to the “token_endpoint” defined in OpenID-Discovery.

ua:authorizationEndpoint

String

A path relative to the base URL used to validate user credentials.

This field is equivalent to the “authorization_endpoint” defined in OpenID-Discovery.

ua:requestTypes

JSON array

String

The list of request types supported by the authority.

The possible values are described in 6.5.3.3to 6.5.3.5.

If not specifed the default is “authorization_code”.

ua:scopes

JSON array

String

A list of Scopes that are understood by the Server.

If not specified, the Clientmay be able to access any Scopesupported by the Authorization Service.

This field is equivalent to the “scopes_supported” defined in OpenID-Discovery.