The information model used to provide Servers with the information needed to accept Access Tokens from AuthorizationServices in Figure 34.
Figure 34 – The Model for Configuring Servers to use AuthorizationServices
If a Server is also a Client that needs to access the AuthorizationService, the necessary KeyCredentials can be provided with the push configuration management model (see 8.4).
This ObjectType represents a folder that contains AuthorizationServiceConfiguration Objects which may be accessed via the Server. It is defined in Table 150.
Table 150 – AuthorizationServicesConfigurationFolderType Definition
|
Attribute |
Value |
|||
|
BrowseName |
0:AuthorizationServicesConfigurationFolderType |
|||
|
IsAbstract |
False |
|||
|
References |
NodeClass |
BrowseName |
TypeDefinition |
Modelling Rule |
|
Subtype of the 0:FolderType defined in OPC 10000-5. |
||||
|
0:HasComponent |
Object |
0:<ServiceName> |
0:AuthorizationServiceConfigurationType |
OptionalPlaceholder |
|
|
||||
|
Conformance Units |
||||
|
Authorization Service Configuration Server |
||||
This Object is an instance of AuthorizationServicesConfigurationFolderType. It contains The AuthorizationServiceConfiguration Objects which may be accessed via the Server. It is the target of an HasComponent reference from the ServerConfiguration Object defined in 7.10.4. It is defined in Table 151.
Table 151 – AuthorizationServices Object Definition
|
Attribute |
Value |
|||
|
BrowseName |
0:AuthorizationServices |
|||
|
TypeDefinition |
0:AuthorizationServicesConfigurationFolderType defined in 9.6.2. |
|||
|
References |
NodeClass |
BrowseName |
TypeDefinition |
Modelling Rule |
|
|
||||
|
Conformance Units |
||||
|
Authorization Service Configuration Server |
||||
This ObjectType is the TypeDefinition for an Object that allows the configuration of an AuthorizationService used by a Server. It is defined in Table 152.
Table 152 – AuthorizationServiceConfigurationType Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:AuthorizationServiceConfigurationType |
||||
|
IsAbstract |
False |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of the 0:BaseObjectType defined in OPC 10000-5. |
|||||
|
0:HasProperty |
Variable |
0:ServiceUri |
0:String |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
0:ServiceCertificate |
0:ByteString |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
0:IssuerEndpointUrl |
0:String |
0:PropertyType |
Mandatory |
|
|
|||||
|
Conformance Units |
|||||
|
Authorization Service Configuration Server |
|||||
The ServiceUri Property uniquely identifies the AuthorizationService.
The ServiceCertificate Property has the Certificate(s) needed to verify Access Tokens issued by the AuthorizationService. The value is the complete chain of Certificate needed for verification (see OPC 10000-6 for information on encoding chains).
The IssuerEndpointUrl is the value of the IssuerEndpointUrl in UserTokenPolicies which require the use of the AuthorizationService. The contents of this field depend on the AuthorizationService and are described in OPC 10000-6.
This type is used to serialize the AuthorizationService configuration. It is defined in Table 153.
This type is used as part of the ApplicationConfigurationDataType defined in 7.10.19 which allows multiple of AuthorizationServices in a Server to be updated at once.
The Name of the record is the name portion of the BrowseName of the associated AuthorizationServiceConfiguration Object in the AddressSpace.
If multiple ServiceCertificates are specified the first entry in the list is exposed with the ServerCertificate Property on the AuthorizationServiceConfiguration Obect.
Note that when a new AuthorizationServiceConfiguration is added, Clients need to browse the AuthorizationServices folder to discover the NodeId assigned by the Server that is needed for Certificate Management Methods.
Table 153 – AuthorizationServiceConfigurationDataType Structure
|
Name |
Type |
Description |
|
AuthorizationServiceConfigurationDataType |
Structure |
|
|
ServiceUri |
0:UriString |
A URI uniquely identifies the AuthorizationService. |
|
ServiceCertificate |
0:ByteString[] |
The CertificateChain needed to verify Access Tokens issued by the AuthorizationService. The Certificates appear in the array starting with the end-entity followed by its issuer. |
|
Certificate |
0:ByteString |
The Certificate needed to verify Access Tokens issued by the AuthorizationService. |
|
Issuers |
0:ByteString[] |
The Issuers needed to verify the Certificate. The Certificates appear in the array starting with the issuer of the Certificate. |
|
ValidFrom |
0:UtcTime |
When the Certificate may be used to verify AccessTokens. If null then the Certificate can be used any time after ValidFrom field within the Certificate. |
|
ValidTo |
0:UtcTime |
After this time, the Certificate may not be used to verify AccessTokens. If null there is no expiry time other than the ValidTo field within the Certificate. |
|
IssuerEndpointSettings |
0:String |
The AuthorizationService specific settings that Clients need to know before requesting Access Tokens from the AuthorizationService. The syntax depends on the AuthorizationService. |
Its representation in the AddressSpace is defined in Table 154.
Table 154 – AuthorizationServiceConfigurationDataType Definition
|
Attribute |
Value |
|||||
|
BrowseName |
0:AuthorizationServiceConfigurationDataType |
|||||
|
IsAbstract |
False |
|||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Other |
|
|
Subtype of the 0:BaseConfigurationRecordDataType defined in 7.8.5.5. |
||||||
|
|
||||||
|
Conformance Units |
||||||
|
Authorization Service Configuration Server |
||||||