The information model for AuthorizationServices which allow Clients to request Access Tokens from a Server is shown in Figure 31.
Figure 31 – The Model for Requesting Access Tokens from AuthorizationServices
This ObjectType represents a folder that contains AuthorizationService Objects which may be accessed via the Server. It is defined in Table 101.
Table 101 – AuthorizationServicesFolderType Definition
|
Attribute |
Value |
|||
|
BrowseName |
2:AuthorizationServicesFolderType |
|||
|
IsAbstract |
False |
|||
|
References |
NodeClass |
BrowseName |
TypeDefinition |
Modelling Rule |
|
Subtype of the FolderType defined in OPC 10000-5. |
||||
|
0:Organizes |
Object |
2:<ServiceName> |
2:AuthorizationServiceType |
OptionalPlaceholder |
|
|
||||
|
Conformance Units |
||||
|
GDS Authorization Service Server |
||||
This Object is an instance of AuthorizationServicesFolderType It contains The AuthorizationService Objects which may be accessed via the GDS. It is the target of an Organizes reference from the Objects Folder defined in OPC 10000-5. It is defined in Table 102.
Table 102 – AuthorizationServices Object Definition
|
Attribute |
Value |
|||
|
BrowseName |
2:AuthorizationServices |
|||
|
TypeDefinition |
2:AuthorizationServicesFolderType defined in 9.6.2. |
|||
|
References |
NodeClass |
BrowseName |
TypeDefinition |
Modelling Rule |
|
|
||||
|
Conformance Units |
||||
|
GDS Authorization Service Server |
||||
This ObjectType is the TypeDefinition for an Object that allows access to an AuthorizationService. It is defined in Table 103.
Table 103 – AuthorizationServiceType Definition
|
Attribute |
Value |
||||
|
BrowseName |
2:AuthorizationServiceType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of the BaseObjectType defined in OPC 10000-5. |
|||||
|
0:HasProperty |
Variable |
2:ServiceUri |
0:String |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
2:ServiceCertificate |
0:ByteString |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
2:UserTokenPolicies |
0:UserTokenPolicy [] |
0:PropertyType |
Optional |
|
0:HasComponent |
Method |
2:GetServiceDescription |
Defined in 9.6.6. |
Mandatory |
|
|
0:HasComponent |
Method |
2:RequestAccessToken |
Defined in 9.6.5. |
Optional |
|
|
|
|||||
|
Conformance Units |
|||||
|
GDS Authorization Service Server |
|||||
The ServiceUri is a globally unique identifier that allows a Client to correlate an instance of AuthorizationServiceType with instances of AuthorizationServiceConfigurationType (see 9.7.4).
The ServiceCertificate is the Certificate required to check any Signature that is included with the Access Tokens. The ServiceCertificate may be a complete chain (see OPC 10000-6 for information on encoding chains).
The UserTokenPolicies Property specifies the UserIdentityTokens which are accepted by the RequestAccessToken Method.
The GetServiceDescription Method is used read the metadata needed to request Access Tokens.
The RequestAccessToken Method is used to request an Access Token from the AuthorizationService.
RequestAccessToken is used to request an Access Token from an AuthorizationService. The scenarios where this Method is used are described fully in 9.3, 9.4 and 9.5.
The PolicyId and UserTokenType of the identityToken shall match one of the elements of the UserTokenPolicies Property. If the identityToken is not provided the Server should use the ApplicationInstanceCertificate and/or the UserIdentityToken provided for the Session (or the request if using a Session-less Method Call) to determine privileges.
If the associated UserTokenPolicy provides a SecurityPolicyUri, then the identityToken is encrypted and digitally signed using the format defined for UserIdentityToken secrets in OPC 10000-4.
For UserNameIdentityTokens the secret is the password and the signature is created with the Client ApplicationInstanceCertificate. The signed and encrypted secret is passed in the password field.
For X.509 v3 IdentityTokens the secret is null and signature is created with the key associated with user Certificate. The signed and encrypted secret is passed in the certificateData field.
For IssuedIdentityTokens the secret is the token and the signature is created with the key associated a user Certificate or the Client ApplicationInstanceCertificate. The signed and encrypted secret is passed in the tokenData field.
The Server shall check the signingTime in against the current system clock. The Server shall reject the request if the signingTime is outside of a configurable range. A suitable default value is 5 minutes. The permitted clock skew is a Server configuration parameter.
This Method shall be called from an encrypted SecureChannel and from a Client that has access to the AccessTokenRequestor Privilege (see 9.2).
Signature
RequestAccessToken (
[in] UserIdentityToken identityToken
[in] String resourceId
[out] String accessToken
);
|
Argument |
Description |
|
identityToken |
The identity used to authorize the Access Token request. |
|
resourceId |
The identifier for the Resource that the Access Token is used to access. This is usually the ApplicationUri for a Server. |
|
accessToken |
The Access Token granted to the application. |
Method Result Codes (defined in Call Service)
|
Result Code |
Description |
|
Bad_IdentityTokenInvalid |
The identityToken does not match one of the allowed UserTokenPolicies. |
|
Bad_IdentityTokenRejected |
The identityToken was rejected. |
|
Bad_NotFound |
The resourceId is not known to the Server. |
|
Bad_UserAccessDenied |
The current user does not have the rights required. |
Table 104 specifies the AddressSpace representation for the RequestAccessToken Method.
Table 104 – RequestAccessToken Method AddressSpace Definition
|
Attribute |
Value |
||||
|
BrowseName |
2:RequestAccessToken |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
0:HasProperty |
Variable |
0:InputArguments |
0:Argument[] |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
0:OutputArguments |
0:Argument[] |
0:PropertyType |
Mandatory |
GetServiceDescription is used to read the metadata needed to request Access Tokens from the AuthorizationService.
Signature
GetServiceDescription (
[out] String serviceUri
[out] ByteString serviceCertificate
[out] UserTokenPolicy[] userTokenPolicies
);
|
Argument |
Description |
|
serviceUri |
A globally unique identifier for the AuthorizationService. |
|
serviceCertificate |
The complete chain of Certificates needed to validate the Access Tokens provided by the AuthorizationService. |
|
userTokenPolicies |
The UserIdentityTokens accepted by the AuthorizationService. |
Method Result Codes (defined in Call Service)
|
Result Code |
Description |
|
Bad_UserAccessDenied |
The current user does not have the rights required. |
Table 105 specifies the AddressSpace representation for the GetServiceDescription Method.
Table 105 – GetServiceDescription Method AddressSpace Definition
|
Attribute |
Value |
||||
|
BrowseName |
2:GetServiceDescription |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
0:HasProperty |
Variable |
0:OutputArguments |
0:Argument[] |
0:PropertyType |
Mandatory |
This event is raised when a AccessToken is issued.
This is the result of a RequestAccessToken Method completing.
This Event and it subtypes are security related and Servers shall only report them to users authorized to view security related audit events.
Its representation in the AddressSpace is formally defined in Table 106.
Table 106 – AccessTokenIssuedAuditEventType Definition
|
Attribute |
Value |
||||
|
BrowseName |
2:AccessTokenIssuedAuditEventType |
||||
|
IsAbstract |
True |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of the 0:AuditUpdateMethodEventType defined in OPC 10000-5. |
|||||
|
|
|||||
|
Conformance Units |
|||||
|
GDS Authorization Service Server |
|||||
This EventType inherits all Properties of the AuditUpdateMethodEventType. Their semantic is defined in OPC 10000-5.