Servers that support JWT authentication shall provide a UserTokenPolicy which specifies the Authorization Service which provides the token and the parameters needed to access that service. The parameters are specified by a JSON object specified as the issuerEndpointUrl. The contents of this JSON object are described in Table 54. The general UserTokenPolicy settings for JWT are defined in Table 53.
Table 53 – JWT UserTokenPolicy
|
Name |
Description |
|
tokenType |
ISSUEDTOKEN_3 |
|
issuedTokenType |
|
|
issuerEndpointUrl |
For JWTs this is a JSON object with fields defined in Table 54. |
Table 54 – JWT IssuerEndpointUrl Definition
|
Name |
Type |
Required |
Description |
|
IssuerEndpointUrl |
JSON object |
Yes |
Specifies the parameters for a JWT UserIdentityToken. |
|
ua:resourceId |
String |
Yes |
The URI identifying the Server to the Authorization Service. The default value is the Server’s ApplicationUri. |
|
ua:authorityUrl |
String |
Yes |
The base URL for the Authorization Service. This URL may be used to discover additional information about the authority. This field is equivalent to the "issuer" defined in OpenID-Discovery. |
|
ua:authorityProfileUri |
String |
Yes |
The profile that defines the interactions with the authority. The default URI is "http://opcfoundation.org/UA/Authorization#OPCUA". A set of possible authorities are in the Profile: http://opcfoundation.org/UA-Profile/Security/UserToken/Server/JsonWebToken |
|
ua:tokenEndpoint |
String |
Depends on authorityProfileUri |
A path relative to the base URL used to request Access Tokens. If the authorityProfileUri is OPCUA, then this is the NodeId of the AuthorizationService Object encoded as described in 5.4.2.10. This field is equivalent to the "token_endpoint" defined in OpenID-Discovery. |
|
ua:authorizationEndpoint |
String |
No |
A path relative to the base URL used to validate user credentials. If the authorityProfileUri is OPCUA, then this is the NodeId of the UserTokenProfile Property of the AuthorizationService Object encoded as described in 5.4.2.10. This field is equivalent to the "authorization_endpoint" defined in OpenID-Discovery. |
|
ua:requestTypes |
JSON array String |
No |
The list of request types supported by the authority. The possible values are described in 6.5.3.2 to 6.5.3.4. If not specified the default is "authorization_code". |
|
ua:scopes |
JSON array String |
No |
A list of Scopes that are understood by the Server. If not specified, the Client may be able to access any Scope supported by the Authorization Service. This field is equivalent to the "scopes_supported" defined in OpenID-Discovery. |