RequestAccessToken is used to request an Access Token from an AuthorizationService. The scenarios where this Method is used are described fully in 9.3, 9.4 and 9.5.

The PolicyId and UserTokenType of the identityToken shall match one of the elements of the UserTokenPolicies Property. If the identityToken is not provided the Server should use the ApplicationInstanceCertificate and/or the UserIdentityToken provided for the Session (or the request if using a Session-less Method Call) to determine privileges.

If the associated UserTokenPolicy provides a SecurityPolicyUri, then the identityToken is encrypted and digitally signed using the format defined for UserIdentityToken secrets in OPC 10000-4.

For UserNameIdentityTokens the secret is the password and the signature is created with the Client ApplicationInstanceCertificate. The signed and encrypted secret is passed in the password field.

For X.509 v3 IdentityTokens the secret is null and signature is created with the key associated with user Certificate. The signed and encrypted secret is passed in the certificateData field.

For IssuedIdentityTokens the secret is the token and the signature is created with the key associated a user Certificate or the Client ApplicationInstanceCertificate. The signed and encrypted secret is passed in the tokenData field.

The Server shall check the signingTime in against the current system clock. The Server shall reject the request if the signingTime is outside of a configurable range. A suitable default value is 5 minutes. The permitted clock skew is a Server configuration parameter.

This Method shall be called from an encrypted SecureChannel and from a Client that has access to the AccessTokenRequestor Privilege (see 9.2).

Signature

RequestAccessToken (

[in] UserIdentityToken identityToken

[in] String resourceId

[out] String accessToken

);

Argument

Description

identityToken

The identity used to authorize the Access Token request.

resourceId

The identifier for the Resource that the Access Token is used to access.

This is usually the ApplicationUri for a Server.

accessToken

The Access Token granted to the application.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_IdentityTokenInvalid

The identityToken does not match one of the allowed UserTokenPolicies.

Bad_IdentityTokenRejected

The identityToken was rejected.

Bad_NotFound

The resourceId is not known to the Server.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 104 specifies the AddressSpace representation for the RequestAccessToken Method.

Table 104 – RequestAccessToken Method AddressSpace Definition

Attribute

Value

BrowseName

2:RequestAccessToken

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:InputArguments

0:Argument[]

0:PropertyType

Mandatory

0:HasProperty

Variable

0:OutputArguments

0:Argument[]

0:PropertyType

Mandatory